02
Apr 19

Canadian Police Raid ‘Orcus RAT’ Author

Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.

An advertisement for Orcus RAT.

As first detailed by KrebsOnSecurity in July 2016, Orcus is the brainchild of John “Armada” Rezvesz, a Toronto resident who until recently maintained and sold the RAT under the company name Orcus Technologies.

In an “official press release” posted to pastebin.com on Mar. 31, 2019, Rezvesz said his company recently was the subject of an international search warrant executed jointly by the Royal Canadian Mounted Police (RCMP) and the Canadian Radio-television and Telecommunications Commission (CRTC).

“In this process authorities seized numerous backup hard drives [containing] a large portion of Orcus Technologies business, and practices,” Rezvesz wrote. “Data inclusive on these drives include but are not limited to: User information inclusive of user names, real names, financial transactions, and further. The arrests and searches expand to an international investigation at this point, including countries as America, Germany, Australia, Canada and potentially more.”

Reached via email, Rezvesz declined to say whether he was arrested in connection with the search warrant, a copy of which he shared with KrebsOnSecurity. In response to an inquiry from this office, the RCMP stopped short of naming names, but said “we can confirm that our National Division Cybercrime Investigative Team did execute a search warrant at a Toronto location last week.”

The RCMP said the raid was part of an international coordinated effort with the Federal Bureau of Investigation and the Australian Federal Police, as part of “a series of ongoing, parallel investigations into Remote Access Trojan (RAT) technology. This type of malicious software (malware) enables remote access to Canadian computers, without their users’ consent and can lead to the subsequent installation of other malware and theft of personal information.”

“The CRTC executed a warrant under Canada’s Anti-Spam Legislation (CASL) and the RCMP National Division executed a search warrant under the Criminal Code respectively,” reads a statement published last week by the Canadian government. “Tips from international private cyber security firms triggered the investigation.”

Rezvesz maintains his software was designed for legitimate use only and for system administrators seeking more powerful, full-featured ways to remotely manage multiple PCs around the globe. He’s also said he’s not responsible for how licensed customers use his products, and that he actively kills software licenses for customers found to be using it for online fraud.

Yet the list of features and plugins advertised for this RAT includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

“It can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process,” wrote researchers at security firm Fortinet in a Dec. 2017 analysis of the RAT. “This makes it harder for targets to remove it from their systems. These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.”

As KrebsOnSecurity noted in 2016, in conjunction with his RAT Rezvesz also sold and marketed a bulletproof “dynamic DNS service” that promised not to keep any records of customer activity. Continue reading →


31
Mar 19

Annual Protest Raises $250K to Cure Krebs

For the second year in a row, denizens of a large German-language online forum have donated more than USD $250,000 to cancer research organizations in protest of a story KrebsOnSecurity published in 2018 that unmasked the creators of Coinhive, a now-defunct cryptocurrency mining service that was massively abused by cybercriminals. Krebs is translated as “cancer” in German.

Images posted to the decidedly not-safe-for-work German-language image forum pr0gramm[.]com. Members have posted thousands of thank you receipts from cancer research organizations that benefited from their fight cancer/krebs campaign.

On March 26, 2018, KrebsOnSecurity published Who and What is Coinhive, which showed the founder of Coinhive was the co-creator of the German image hosting and discussion forum pr0gramm[dot]com (not safe for work).  I undertook the research because Coinhive’s code at the time was found on tens of thousands of hacked Web sites, and Coinhive seemed uninterested in curbing widespread abuse of its platform.

Pr0gramm’s top members accused KrebsOnSecurity of violating their privacy, even though all of the research published about them was publicly available online. In protest, the forum’s leaders urged members to donate money to medical research in a bid to find a cure for Krebs (i.e. “cancer”).

All told, thousands of Pr0gramm’s members donated more than USD $250,000 to cancer cure efforts within days of that March 2018 story. This week, the Pr0gramm administrators rallied members to commemorate that successful fundraiser with yet another.

“As announced there will be a donation marathon at anniversary day of Krebsaction,” Pr0gramm’s administrators announced. “Today, March 27th, we’re firing the starting shot for the marathon. Please tag your donation bills properly if they shall be accounted. The official tag is ‘krebsspende.’

According to a running tally on Pr0gramm’s site, this year’s campaign has raised 252,000 euros for cancer research so far, or about USD $284,000. That brings the total that Pr0gramm members have donated to cancer research to more than a half-million dollars.

As a bonus, Coinhive announced last month that it was shutting down, citing a perfect storm of negative circumstances. Coinhive had made structural changes to its systems following my 2018 story so that it would no longer profit from accounts used on hacked Web sites. Perhaps more importantly, the value of the cryptocurrency Coinhive’s code helped to mine dropped precipitously over the past year.


29
Mar 19

Man Behind Fatal ‘Swatting’ Gets 20 Years

Tyler Barriss, a 26-year-old California man who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident, has been sentenced to 20 years in federal prison.

Tyler Barriss, in an undated selfie.

Barriss has admitted to his role in the Kansas man’s death, as well as to dozens of other non-fatal “swatting” attacks. These dangerous hoaxes involve making false claims to emergency responders about phony hostage situations or bomb threats, with the intention of prompting a heavily-armed police response to the location of the claimed incident.

On Dec. 28, 2017, Barriss placed a call from California to police in Wichita, Kan., claiming that he was a local resident who’d just shot his father and was holding other family members hostage.

When Wichita officers responded to the address given by the caller — 1033 W. McCormick — they shot and killed 28-year-old Andrew Finch, a father of two who had done nothing wrong.

Barriss admitted setting that fatal swatting in motion after getting in the middle of a dispute between two Call of Duty online gamers, 18-year-old Casey Viner from Ohio and Shane Gaskill, 20, from Wichita. Viner and Gaskill are awaiting their own trials in connection with Finch’s death. Continue reading →


29
Mar 19

A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach

On Feb. 21, 2019, KrebsOnSecurity contacted Italian restaurant chain Buca di Beppo after discovering strong evidence that two million credit and debit card numbers belonging to the company’s customers were being sold in the cybercrime underground. Today, Buca’s parent firm announced it had remediated a 10-month breach of its payment systems at dozens of restaurants, including some locations of its other brands such as Earl of Sandwich and Planet Hollywood.

Some 2.1 million+ credit and debit card accounts stolen from dozens of Earl Enterprises restaurant locations went up for sale on a popular carding forum on Feb. 20, 2019.

In a statement posted to its Web site today, Orlando, Fla. based hospitality firm Earl Enterprises said a data breach involving malware installed on its point-of-sale systems allowed cyber thieves to steal card details from customers between May 23, 2018 and March 18, 2019.

Earl Enterprises did not respond to requests for specifics about how many customers total may have been impacted by the 10-month breach. The company’s statement directs concerned customers to an online tool that allows one to look up breached locations by city and state.

According to an analysis of that page, it appears the breach impacts virtually all 67 Buca di Beppo locations in the United States; a handful out of the total 31 Earl of Sandwich locations; and Planet Hollywood locations in Las Vegas, New York City and Orlando. Also impacted were Tequila Taqueria in Las Vegas; Chicken Guy! in Disney Springs, Fla.; and Mixology in Los Angeles.

KrebsOnsecurity contacted the executive team at Buca di Beppo in late February after determining most of this restaurant’s locations were likely involved a data breach that first surfaced on Joker’s Stash, an underground shop that sells huge new batches of freshly-stolen credit and debit cards on a regular basis. Continue reading →


22
Mar 19

Alleged Child Porn Lord Faces US Extradition

In 2013, the FBI exploited a zero-day vulnerability in Firefox to seize control over a Dark Web network of child pornography sites. The alleged owner of that ring – 33-year-old Freedom Hosting operator Eric Eoin Marques – was arrested in Ireland later that year on a U.S. warrant and has been in custody ever since. This week, Ireland’s Supreme Court cleared the way for Marques to be extradited to the United States.

Eric Eoin Marques. Photo: Irishtimes.com

The FBI has called Marques the world’s largest facilitator of child porn. He is wanted on four charges linked to hidden child porn sites like “Lolita City” and “PedoEmpire,” which the government says were extremely violent, graphic and depicting the rape and torture of pre-pubescent children. Investigators allege that sites on Freedom Hosting had thousands of customers, and earned Marques more than $1.5 million.

For years Freedom Hosting had developed a reputation as a safe haven for hosting child porn. Marques allegedly operated Freedom Hosting as a turnkey solution for Web sites that hide their true location using Tor, an online anonymity tool.

The sites could only be accessed using the Tor Browser Bundle, which is built on the Firefox Web browser. On Aug. 4, 2013, U.S. federal agents exploited a previously unknown vulnerability in Firefox version 17 that allowed them to identify the true Internet addresses and computer names of people using Tor Browser to visit the child porn sites at Freedom Hosting.

Irish public media service RTE reported in 2013 that Marques briefly regained access to one of his hosting servers even after the FBI had seized control over it and changed the password, briefly locking the feds out of the system.

As Wired.com observed at the time, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”

Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. FBI investigators told the courts they feared he would try to destroy evidence and/or flee the country. FBI agents testified that Marques had made inquiries about how to get a visa and entry into Russia and set up residence and citizenship there. Continue reading →


21
Mar 19

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.

Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.

Continue reading →


17
Mar 19

Why Phone Numbers Stink As Identity Proof

Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.

“As a consumer, I’m forced to use my phone number as an identity document, because sometimes that’s the only way to do business with a site online,” Nixon said. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me. And there’s nothing anyone can do to stop it except to stop using phone numbers as identity documents.”

Beyond SIM-swapping attacks, there are a number of ways that phone numbers can get transferred to new owners, Nixon said. The biggest reason is lack of payment for past phone bills. But maybe someone goes through a nasty divorce or separation, and can no longer access their phone or phone accounts. The account is sent to collections and closed, and the phone number gets released back into the general pool for reassignment after a period of time.

Many major providers still let people reset their passwords with just a text message. Last week I went to regain access to a Yahoo account I hadn’t used in almost five years. Yahoo’s forgot password feature let me enter a phone number, and after entering a code sent to my phone I was able to read my email.

So, if that Yahoo account is tied to a mobile number that you can receive text messages at, then you can assume control over the account. And every other account associated with that Yahoo account. Even if that phone number no longer belongs to the person who originally established the email account.

This is exactly what happened recently to a reader who shared this account:

A while ago I bought a new phone number. I went on Yahoo! mail and typed in the phone number in the login. It asked me if I wanted to receive an SMS to gain access. I said yes, and it sent me a verification key or access code via SMS. I typed the code I received. I was surprised that I didn’t access my own email, but the email I accessed was actually the email of the previous owner of my new number.

Yahoo! didn’t even ask me to type the email address, or the first and last name. It simply sent me the SMS, I typed the code I received, and without asking me to type an email or first and last name, it gave me access to the email of my number’s PREVIOUS OWNER. Didn’t ask for credentials or email address. This seriously needs to be revised. At minimum Yahoo! should ask me to type the email address or the first and last name before sending me an SMS which contains an access code.

Brian Krebs (BK): You have your own experiences like this. Or sort of. You tell.

Allison Nixon (AN): Any threat intelligence company will have some kind of business function that requires purchasing burner phones fairly frequently, which involves getting new phone numbers. When you get new numbers, they are recycled from previous owners because there probably aren’t any new ones anymore. I get a lot of various text messages for password resets. One I kept getting was texts from this guy’s bank. Every time he got a deposit, I would get a text saying how much was deposited and some basic information about the account.

I approached the bank because I was concerned that maybe this random person would be endangered by the security research we were going to be doing with this new number. I asked them to take him off the number, but they said there wasn’t anything they could do about it.

One time I accidentally hijacked a random person’s account. I was trying to get my own account back at an online service provider, and I put a burner phone number into the site, went through the SMS password reset process, got the link and it said ‘Welcome Back’ to some username I didn’t know. Then I clicked okay and was suddenly reading the private messages of the account.

I realized I’d hijacked the account of the previous owner of the phone. It was unintentional, but also very clear that there was no technical reason I couldn’t hijack even more accounts associated with this number. This is a problem affecting a ton of service providers. This could have happened at many, many other web sites. Continue reading →


13
Mar 19

Ad Network Sizmek Probes Account Breach

Online advertising firm Sizmek Inc. [NASDAQ: SZMK] says it is investigating a security incident in which a hacker was reselling access to a user account with the ability to modify ads and analytics for a number of big-name advertisers.

In a recent posting to a Russian-language cybercrime forum, an individual who’s been known to sell access to hacked online accounts kicked off an auction for “the admin panel of a big American ad platform.”

“You can add new users to the ad system, edit existing ones and ad offers,” the seller wrote. The starting bid was $800.

The seller included several screen shots of the ad company’s user panel. A few minutes on LinkedIn showed that many of these people are current or former employees of Sizmek.

The seller also shared a screenshot of the ad network’s Alexa site rankings:

A screenshot of the Alexa ranking for the “big American ad network,” access to which was sold on a cybercrime forum.

I checked Sizmek’s Alexa page and at the time it almost mirrored the statistics shown in the screenshot above. Sizmek’s own marketing boilerplate says the company operates its ad platform in more than 70 countries, connecting more than 20,000 advertisers and 3,600 agencies to audiences around the world. The company is listed by market analysis firm Datanyze.com as the world third-largest ad server network.

After reaching out to a number of folks at Sizmek, I heard back from George Pappachen, the company’s general counsel.

Pappachen said the account being resold on the dark web is a regular user account (not a all-powerful administrator account, despite the seller’s claim) for its Sizmek Advertising Suite (SAS). Pappachen described Sizmek’s SAS product line as “a sizable and important one” for the company and a relatively new platform that has hundreds of users.

He acknowledged that the purloined account had the ability to add or modify the advertising creatives that get run on customer ad campaigns. And Sizmek is used in ad campaigns for some of the biggest brands out there. Some of the companies shown in the screenshot of the panel shared by the dark web seller include PR firm Fleishman-Hillard, media giants Fox Broadcasting, Gannett, and Hearst Digital, as well as Kohler, and Pandora.

A screenshot shared by the dark web seller. Portions of this panel — access to a Sizmek user account — was likely translated by the Chrome Web browser, which has a built-in page translate function. As seen here, that function tends to translate items in the frame of the panel, but it leaves untouched the data inside those frames.

Crooks who exploited this access could hijack existing ad campaigns running on some of the world’s top online properties, by inserting malicious scripts into the HTML code of ads that run on popular sites. Or they could hijack referral commissions destined for others and otherwise siphon ad profits from the system.

“Or someone who is looking to sabotage our systems in a bigger way or allow malicious code to enter our systems,” Pappachen offered.

Pappachen said Sizmek forced a password reset on all internal employees (“a few hundred”), and that the company is scrubbing its SAS user database for departed employees, partners and vendors whose accounts may have been hijacked.

“We’re now doing some level of screening to see if there’s been any kind of intrusion we can detect,” Pappachen said. “It seemed like [the screenshots were accounts from] past employees. I think there were even a couple of vendors that had access to the system previously.” Continue reading →


13
Mar 19

Patch Tuesday, March 2019 Edition

Microsoft on Tuesday pushed out software updates to fix more than five dozen security vulnerabilities in its Windows operating systems, Internet Explorer, Edge, Office and Sharepoint. If you (ab)use Microsoft products, it’s time once again to start thinking about getting your patches on. Malware or bad guys can remotely exploit roughly one-quarter of the flaws fixed in today’s patch batch without any help from users.

One interesting patch from Microsoft this week comes in response to a zero-day vulnerability (CVE-2019-0797) reported by researchers at Kaspersky Lab, who discovered the bug could be (and is being) exploited to install malicious software.

Microsoft also addressed a zero day flaw (CVE-2019-0808) in Windows 7 and Windows Server 2008 that’s been abused in conjunction with a previously unknown weakness (CVE-2019-5786) in Google’s Chrome browser. A security alert from Google last week said attackers were chaining the Windows and Chrome vulnerabilities to drop malicious code onto vulnerable systems.

If you use Chrome, take a moment to make sure you have this update and that there isn’t an arrow to the right of your Chrome address bar signifying the availability of new update. If there is, close out and restart the browser; it should restore whatever windows you have open on restart. Continue reading →


10
Mar 19

Insert Skimmer + Camera Cover PIN Stealer

Very often the most clever component of your typical ATM skimming attack is the hidden pinhole camera used to record customers entering their PINs. These little video bandits can be hidden 100 different ways, but they’re frequently disguised as ATM security features — such as an extra PIN pad privacy cover, or an all-in-one skimmer over the green flashing card acceptance slot at the ATM.

And sometimes, the scammers just hijack the security camera built into the ATM itself.

Below is the hidden back-end of a skimmer found last month placed over top of the customer-facing security camera at a drive-up bank ATM in Hurst, Texas. The camera components (shown below in green and red) were angled toward the cash’s machine’s PIN pad to record victims entering their PINs. Wish I had a picture of this thing attached to the ATM.

This hidden camera was fixed to the underside of a fake lens cover for the skimmed ATM’s built-in security camera. Image: Hurst Police.

The clever PIN grabber was paired with an “insert skimmer,” a wafer-thin, usually metallic and battery powered skimmer made to be fitted straight into the mouth of the ATM’s card acceptance slot, so that the card skimmer cannot be seen from outside of the compromised ATM.

The insert skimmer, seen as inserted into the card acceptance device in the hacked ATM. Image: Hurst PD.

Continue reading →


#####EOF##### All About Skimmers — Krebs on Security

All About Skimmers

The series I’ve written about ATM skimmers, gas pump skimmers and other related fraud devices have become by far the most-read posts on this blog. I put this gallery together to showcase the entire series, and to give others a handy place to reference all of these stories in one place. Click the headline or the image associated with each blurb for the full story.

Real card slot on left, skimmer on right.

Jan. 15, 2010: Would You Have Spotted the Fraud? Pictured here is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution. This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?

ATM PIN capture device

ATM PIN capture overlay device pulled back to reveal the legitimate PIN entry pad.

Feb. 2, 2010: ATM Skimmers, Part II …The U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts for more than 80 percent of ATM fraud. Last week, I had a chance to chat with Rick Doten, chief scientist at Lockheed Martin‘s Center for Cyber Security Innovation. Doten has built an impressive slide deck on ATM fraud attacks, and pictured below are some of the more interesting images he uses in his presentations.

The backside end of a standard, $1,500 Diebold skimmer sold online.

March 25, 2010: Would You Have Spotted This ATM Fraud? …The site also advertises a sort of rent-to-own model for would-be thieves who need seed money to get their ATM-robbing businesses going. “Skim With Our Equipment for 50% of Data Collected,” the site offers. The plan works like this: The noobie ATM thief pays a $1,000 “deposit” and is sent a skimmer and PIN pad overlay, along with a link to some videos that explain how to install, work and remove the skimmer technology.

A bogus PIN pad overlay

June 3, 2010: ATM Skimmers: Separating Cruft from Craft …The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.

The backside of a GSM-based PIN pad overlay

June 17, 2010: Sophisticated ATM Skimmer Transmits Stolen Data Via Text Message – Operating and planting an ATM skimmer — cleverly disguised technology that thieves attach to cash machines to intercept credit and debit card data — can be a risky venture, because the crooks have to return to the scene of the crime to retrieve their skimmers along with the purloined data. Increasingly, however, criminals are using ATM skimmers that eliminate much of that risk by relaying the information via text message.

Bluetooth-enabled gas pump skimmer.

July 20, 2010: Skimmers Siphoning Card Data at the Pump …Thieves recently attached bank card skimmers to gas pumps at more than 30 service stations along several major highways in and around Denver, Colorado, the latest area to be hit by a scam that allows crooks to siphon credit and debit card account information from motorists filling up their tanks.

Fun With ATM Skimmers, Part III …According to the European ATM Security Team (EAST), a not-for-profit payment security organization, ATM crimes in Europe jumped 149 percent form 2007 to 2008, and most of that increase has been linked to a dramatic increase in ATM skimming attacks. During 2008, a total of 10,302 skimming incidents were reported in Europe. Below is a short video authorities in Germany released recently showing two men caught on camera there installing a skimmer and a pinhole camera panel above to record PINs.

Nov. 10, 2010: All-in-One Skimmers – ATM skimmers come in all shapes and sizes, and most include several components — such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay. The problem from the thief’s perspective is that the more components included in the skimmer kit, the greater the chance that he will get busted attaching or removing the devices from ATMs. Thus, the appeal of the all-in-one ATM skimmer: It stores card data using an integrated magnetic stripe reader, and it has a built-in hidden camera designed to record the PIN sequence after an unsuspecting customer slides his bank card into the compromised machine.

Audio skimmer for Diebold ATMs

Nov. 23, 2010: Crooks Rock Audio-based ATM Skimmers – The European ATM Security Team (EAST) found that 11 of the 16 European nations covered in the report experienced increases in skimming attacks last year. EAST noted that in at least one country, anti-skimming devices have been stolen and converted into skimmers, complete with micro cameras used to steal PINs. EAST said it also discovered that a new type of analogue skimming device — using audio technology — has been reported by five countries, two of them “major ATM deployers” (defined as having more than 40,000 ATMs).

A GSM-based ATM card skimmer.

Dec. 13, 2010: Why GSM-based ATM Skimmers Rule …So, after locating an apparently reliable skimmer seller on an exclusive hacker forum, I chatted him up on instant message and asked for the sales pitch. This GSM skimmer vendor offered a first-hand account of why these cell-phone equipped fraud devices are safer and more efficient than less sophisticated models — that is, for the buyer at least (I have edited his sales pitch only slightly for readability and flow).


Jan. 17, 2011: ATM Skimmers, Up Close
…I wasn’t sure whether I could take this person seriously, but his ratings on the forum — in which buyers and sellers leave feedback for each other based on positive or negative experiences from previous transactions — were good enough that I figured he must be one of the few people on this particular forum actually selling ATM skimmers, as opposed to just lurking there to scam fellow scammers.

Jan. 31, 2011: ATM Skimmers That Never Touch the ATM….Media attention to crimes involving ATM skimmers may make consumers more likely to identify compromised cash machines, which involve cleverly disguised theft devices that sometimes appear off-color or out-of-place. Yet, many of today’s skimmer scams can swipe your card details and personal identification number while leaving the ATM itself completely untouched, making them far more difficult to spot.

Feb. 16, 2011: Having a Ball With ATM Skimmers …On February 8, 2009, a customer at an ATM at a Bank of America branch in Sun Valley, Calif., spotted something that didn’t look quite right about the machine: A silver, plexiglass device had been attached to the ATM’s card acceptance slot, in a bid to steal card data from unsuspecting ATM users. But the customer and the bank’s employees initially overlooked a secondary fraud device that the unknown thief had left at the scene: A sophisticated, battery operated and motion activated camera designed to record victims entering their personal identification numbers at the ATM.

Mar. 11, 2011: Green Skimmers Skimming Green…To combat an increase in ATM fraud from skimmer devices, cash machine makers have been outfitting ATMs with a variety of anti-skimming technologies. In many cases, these anti-skimming tools take the shape of green or blue semi-transparent plastic casings that protrude from the card acceptance slot to prevent would-be thieves from easily attaching skimmers. But in a surprising number of incidents, skimmer scammers have simply crafted their creations to look exactly like the anti-skimming devices.

April 10, 2001: ATM Skimmers: Hacking the Cash Machine…Most of the ATM skimmers I’ve profiled in this blog are comprised of parts designed to mimic and to fit on top of existing cash machine components, such as card acceptance slots or PIN pads. But sometimes, skimmer thieves find success by swapping out ATM parts with compromised look-alikes.

This paper-thin membrane fits under the real PIN pad.

May 18, 2011: Point-of-Sale Skimmers: Robbed at the Register …Michaels Stores said this month that it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced machines to include point of sale (POS) technology capable of siphoning customer payment card data and PINs. The specific device used by the criminal intruders has not been made public. But many devices and services are sold on the criminal underground to facilitate the surprisingly common fraud.

3D printer firm i.materialise received and promptly declined orders for these skimmer devices.

Sept. 20, 2011: Gang Used 3D Printers for ATM Skimmers …An ATM skimmer gang stole more than $400,000 using skimming devices built with the help of high-tech 3D printers, federal prosecutors say. Apparently, word is spreading in the cybercrime underworld that 3D printers produce flawless skimmer devices with exacting precision. In June, a federal court indicted four men from South Texas (PDF) whom authorities say had reinvested the profits from skimming scams to purchase a 3D printer.

An audio skimmer for a Diebold ATM.

Oct. 13, 2011: ATM Skimmer Powered by MP3 Player …Almost a year ago, I wrote about ATM skimmers made of parts from old MP3 players. Since then, I’ve noticed quite a few more ads for these MP3-powered skimmers in the criminal underground, perhaps because audio skimmers allow fraudsters to sell lucrative service contracts along with their theft devices. The vendor of this skimmer kit advertises “full support after purchase,” and “easy installation (10-15 seconds).” But the catch with this skimmer is that the price tag is misleading. That’s because the audio files recorded by the device are encrypted. The Mp3 files are useless unless you also purchase the skimmer maker’s decryption service, which decodes the audio files into a digital format that can be encoded onto counterfeit ATM cards.

Dec. 7, 2011: Pro Grade (3D Printer-Made?) ATM Skimmer… In July 2011, a customer at a Chase Bank branch in West Hills, Calif. noticed something odd about the ATM he was using and reported it to police. Authorities who responded to the incident discovered a sophisticated, professional-grade ATM skimmer that they believe was made with the help of a 3D printer.

Backside of an ATM skimmer found this year at a bank in the San Fernando Valley area of California.

April 25, 2012: Skimtacular: All-In-One ATM Skimmer…I spent the past week vacationing (mostly) in Southern California, traveling from Los Angeles to Santa Barbara and on to the wine country in Santa Ynez. Along the way, I received some information from a law enforcement source in the area about a recent ATM skimmer attack that showcased a well-designed and stealthy all-in-one skimmer.

July 24, 2012: ATM Skimmers Get Wafer Thin… It’s getting harder to detect some of the newer ATM skimmers, fraud devices attached to or inserted into cash machines and designed to steal card and PIN data. Among the latest and most difficult-to-spot skimmer innovations is a wafer-thin card reading device that can be inserted directly into the ATM’s card acceptance slot.

Sept. 5, 2012: A Handy Way to Foil ATM Skimmers… I spent several hours this past week watching video footage from hidden cameras that skimmer thieves placed at ATMs to surreptitiously record customers entering their PINs. I was surprised to see that out of the dozens of customers that used the compromised cash machines, only one bothered to take the simple but effective security precaution of covering his hand when entering his 4-digit code.

cashtrapsingle Nov. 20, 2012: Beware Card- and Cash-trapping at the ATM… Many security-savvy readers of this blog have learned to be vigilant against ATM card skimmers and hidden devices that can record you entering your PIN at the cash machine. But experts say an increasing form of ATM fraud involves the use of simple devices capable of snatching cash and ATM cards from unsuspected users.

A crude skimming device removed from an Inova Hospital in Fairfax, Va. last month.

A crude skimming device removed from an Inova Hospital in Fairfax, Va. last month.

Dec. 12, 2012: ATM Thieves Swap Security Camera for Keyboard…This blog has featured stories about a vast array of impressive, high-tech devices used to steal money from automated teller machines (ATMs). But every so often thieves think up an innovation that makes all of the current ATM skimmers look like child’s play. Case in point: Authorities in Brazil have arrested a man who allegedly stole more than USD $41,000 from an ATM after swapping its security camera with a portable keyboard that let him hack the cash machine.

verifone

Dec. 18, 2012: Point-of-Sale Skimmers: No Charge…Yet… If you hand your credit or debit card to a merchant who is using a wireless point-of-sale (POS) device, you may want to later verify that the charge actually went through. A top vendor of POS skimmers ships devices that will print out “transaction approved” receipts, even though the machine is offline and is merely recording the customer’s card data and PIN for future fraudulent use.

device1-a

Feb. 1, 2013: Pro-Grade Point-of-Sale Skimmer….Every so often, the sophistication of the technology being built into credit card skimmers amazes even the experts who are accustomed to studying such crimeware. This post focuses on one such example — images from one of several compromised point-of-sale devices that used Bluetooth technology to send the stolen data to the fraudsters wirelessly.

hownot

Apr. 24, 2013: How Not To Install an ATM Skimmer…. Experts in the United States and Europe are tracking a marked increase in ATM skimmer scams. But let’s hope that at least some of that is the result of newbie crooks who fail as hard as the thief who tried to tamper with a Bank of America ATM earlier this week in Nashville.

The MSR-605 components combined with a battery and flash drive. The red stuff is 3M double-sided tape.

July 16, 2013: Getting Skimpy With ATM Skimmers…Cybercrooks can be notoriously cheap, considering how much they typically get for nothing. I’m reminded of this when I occasionally stumble upon underground forum members trying to sell a used ATM skimmer: Very often, the sales thread devolves into a flame war over whether the fully-assembled ATM skimmer is really worth more than the sum of its parts.

nordskim

Oct. 10, 2013: Norstrom Finds Cash Register Skimmers…Scam artists who deploy credit and debit card skimmers most often target ATMs, yet thieves can also use inexpensive, store-bought skimming devices to compromise modern-day cash registers. Just this past weekend, for instance, department store chain Nordstrom said it found a half-dozen of these skimmers affixed to registers at a store in Florida.

verifoneskimmer

Dec. 3, 2013: Simple But Effective Point-of-Sale Skimmer…Point-of-sale (POS) skimmers — fraud devices made to siphon bank card and PIN data at the cash register — have grown in sophistication over the years: A few months back, this blog spotlighted a professionally made point-of-sale skimmer that involved some serious hacking inside the device. Today’s post examines a comparatively simple but effective POS skimmer that is little more than a false panel which sits atop the PIN pad and above the area where customers swipe their cards.

fakeatm

Dec. 18, 2013: The Biggest Skimmers of All: Fake ATMs…This blog has spotlighted some incredibly elaborate and minaturized ATM skimmers, fraud devices that thieves attach to ATMs in a bid to steal card data and PINs. But a skimmer discovered in Brazil last month takes this sort of fraud to another level, using a completely fake ATM designed to be stacked directly on top of a legitimate, existing cash machine.

pumpskimbt

Jan. 22, 2014: Gang Rigged Pumps With Bluetooth Skimmers…Authorities in New York on Tuesday announced the indictment of thirteen men accused of running a multi-million dollar fraud ring that allegedly installed Bluetooth-enabled wireless gas pump skimmers at filling stations throughout the southern United States.

macau-arrests

May 30, 2014: Thieves Planted Malware to Hack ATMs…A recent ATM skimming attack in which thieves used a specialized device to physically insert malicious software into a cash machine may be a harbinger of more sophisticated scams to come.

thingreen

July 14, 2014: The Rise of Thin, Mini and Insert Skimmers…Like most electronic gadgets these days, ATM skimmers are getting smaller and thinner, with extended battery life. Here’s a look at several miniaturized fraud devices that were pulled from compromised cash machines at various ATMs in Europe so far this year.

insert-side

August 21, 2014: Stealthy, Razor Thin ATM Insert Skimmers…An increasing number of ATM skimmers targeting banks and consumers appear to be of the razor-thin insert variety. These card-skimming devices are made to fit snugly and invisibly inside the throat of the card acceptance slot. Here’s a look at a stealthy new model of insert skimmer pulled from a cash machine in southern Europe just this past week.

kas-atmmalware

October 20, 2014: Spike in Malware Attacks on Aging ATMs…This author has long been fascinated with ATM skimmers, custom-made fraud devices designed to steal card data and PINs from unsuspecting users of compromised cash machines. But a recent spike in malicious software capable of infecting and jackpotting ATMs is shifting the focus away from innovative, high-tech skimming devices toward the rapidly aging ATM infrastructure in the United States and abroad.

wiretapping

November 26, 2014: Skimmer Innovation: ‘Wiretapping’ ATMs…Banks in Europe are warning about the emergence of a rare, virtually invisible form of ATM skimmer involving a so-called “wiretapping” device that is inserted through a tiny hole cut in the cash machine’s front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM’s internal card reader.

ncr-decal-wiretap

December 9, 2014: More on Wiretapping ATM Skimmers…Last month, this blog featured a story about an innovation in ATM skimming known as wiretapping, which I said involves a “tiny” hole cut in the ATM’s front through which thieves insert devices capable of eavesdropping on and recording the ATM user’s card data. Turns out, the holes the crooks make to insert their gear tend to be anything but tiny.

blackboxskimmer

January 6, 2015: Thieves Jackpot ATMs with Black Box Attack…Previous stories on KrebsOnSecurity about ATM skimming attacks have focused on innovative fraud devices made to attach to the outside of compromised ATMs. Security experts are now warning about the emergence of a new class of skimming scams aimed at draining ATM cash deposits via a novel and complex attack.

skimmeddoor

March 17, 2015: Door Skimmer + Hidden Camera = Profit…If an ATM you’d like to use is enclosed in a vestibule that requires a card swipe at the door, it might be a good idea to go find another machine, or at least use something other than a payment card to gain entry. Thieves frequently add skimmers to these key card locks and then hide cameras above or beside such ATMs, allowing them to steal your PIN and card data without ever actually tampering with the cash machine itself.

smashatm

April 6, 2015: Hacking ATMS, Literally…Most of the ATM skimming attacks written about on this blog conclude with security personnel intervening before the thieves manage to recover their skimmers along with the stolen card data and PINs. However, an increasingly common form of ATM fraud — physical destruction — costs banks plenty, even when crooks walk away with nothing but bruised egos and sore limbs.

skimwithgps

May 4, 2015: Foiling Pump Skimmers with GPS…Credit and debit card skimmers secretly attached to gas pumps are an increasingly common scourge throughout the United States. But the tables can be turned when these fraud devices are discovered, as evidenced by one California police department that has eschewed costly and time-consuming stakeouts in favor of affixing GPS tracking devices to the skimmers and then waiting for thieves to come collect their bounty.

hyosung-cam-back copy

July 22, 2015: Spike in ATM Skimming in Mexico?…Several sources in the financial industry say they are seeing a spike in fraud on customer cards used at ATMs in Mexico. The reason behind that apparent increase hopefully will be fodder for another story. In this post, we’ll take a closer look at a pair of ATM skimming devices that were found this month attached to a cash machine in Puerto Vallarta — a popular tourist destination on Mexico’s Pacific coast.

chipshim

Aug. 11, 2015: Chip Card ATM ‘Shimmer’ Found in Mexico…Fraud experts in Mexico have discovered an unusual ATM skimming device that can be inserted into the mouth of the cash machine’s card acceptance slot and used to read data directly off of chip-enabled credit or debit cards. The device pictured below is a type of skimmer known as a “shimmer,” so named because it acts a shim that sits between the chip on the card and the chip reader in the ATM — recording the data on the chip as it is read by the ATM.

bluetoothskim

Sept. 14, 2015: Tracking a Bluetooth Skimmer Gang in Mexico…Halfway down the southbound four-lane highway from Cancun to the ancient ruins in Tulum, traffic inexplicably slowed to a halt. There was some sort of checkpoint ahead by the Mexican Federal Police. I began to wonder whether it was a good idea to have brought along the ATM skimmer instead of leaving it in the hotel safe. If the cops searched my stuff, how could I explain having ultra-sophisticated Bluetooth ATM skimmer components in my backpack?

playadelcarmen

Sept. 15, 2015: Tracking Bluetooth Skimmers in Mexico, Part II…I spent four days last week in Mexico, tracking the damage wrought by an organized crime ring that is bribing ATM technicians to place Bluetooth skimmers inside of cash machines in and around the tourist areas of Cancun. Today’s piece chronicles the work of this gang in coastal regions farther south, following a trail of hacked ATMs from Playa Del Camen down to the ancient Mayan ruins in Tulum.

playadelcarmen

Dec. 16, 2015: Skimmers Found at Some Calif., Colo. Safeways…Sources at multiple financial institutions say they are tracking a pattern of fraud indicating that thieves have somehow compromised the credit card terminals at checkout lanes within multiple Safeway stores in California and Colorado. Safeway confirmed it is investigating skimming incidents at several stores.

hyosung-cam-back copy

Feb. 3, 2016: Spike in ATM Skimming in Mexico?…In Dec. 2015, KrebsOnSecurity warned that security experts had discovered skimming devices attached to credit and debit card terminals at self-checkout lanes at Safeway stores in Colorado and possibly other states. Safeway hasn’t disclosed what those skimmers looked like, but images from a recent skimming attack allegedly launched against self-checkout shoppers at a Safeway in Maryland offers a closer look at once such device.

cableskim

Feb. 9, 2016: Skimmers Hijack ATM Network Cables…If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data.

deepinsert

May 5, 2016: Crooks Go Deep With ‘Deep Insert’ Skimmers…ATM maker NCR Corp. says it is seeing a rapid rise in reports of what it calls “deep insert skimmers,” wafer-thin fraud devices made to be hidden inside of the card acceptance slot on a cash machine. KrebsOnSecurity’s All About Skimmers series has featured several stories about insert skimmers. But the ATM manufacturer said deep insert skimmers are different from typical insert skimmers because they are placed in various positions within the card reader transport, behind the shutter of a motorized card reader and completely hidden from the consumer at the front of the ATM.

walmartskim

May 25, 2016: Skimmers Found at Walmart: A Closer Look…Recent local news stories about credit card skimmers found in self-checkout lanes at some Walmart locations reminds me of a criminal sales pitch I saw recently for overlay skimmers made specifically for the very same card terminals. Much like the skimmers found at some Safeway locations earlier this year, the skimming device pictured below was designed to be installed in the blink of an eye at self-checkout lanes — as in recent incidents at Walmart stores in Fredericksburg, Va. and Fort Wright, Ky. In these attacks, the skimmers were made to piggyback on card readers sold by payment solutions company Ingenico.

inserthow

June 13, 2016: ATM Insert Skimmers In Action…KrebsOnSecurity has featured several recent posts on “insert skimmers,” ATM skimming devices made to fit snugly and invisibly inside a cash machine’s card acceptance slot. I’m revisiting the subject again because I’ve recently acquired how-to videos produced by two different insert skimmer peddlers, and these silent movies show a great deal more than words can tell about how insert skimmers do their dirty work.

ingenhow

June 24, 2016: How to Spot Ingenico Self-Checkout Skimmers…A KrebsOnSecurity story last month about credit card skimmers found in self-checkout lanes at some Walmart locations got picked up by quite a few publications. Since then I’ve heard from several readers who work at retailers that use hundreds of thousands of these Ingenico credit card terminals across their stores, and all wanted to know the same thing: How could they tell if their self-checkout lanes were compromised? This post provides a few pointers.


#####EOF##### Why Phone Numbers Stink As Identity Proof — Krebs on Security

17
Mar 19

Why Phone Numbers Stink As Identity Proof

Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.

“As a consumer, I’m forced to use my phone number as an identity document, because sometimes that’s the only way to do business with a site online,” Nixon said. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me. And there’s nothing anyone can do to stop it except to stop using phone numbers as identity documents.”

Beyond SIM-swapping attacks, there are a number of ways that phone numbers can get transferred to new owners, Nixon said. The biggest reason is lack of payment for past phone bills. But maybe someone goes through a nasty divorce or separation, and can no longer access their phone or phone accounts. The account is sent to collections and closed, and the phone number gets released back into the general pool for reassignment after a period of time.

Many major providers still let people reset their passwords with just a text message. Last week I went to regain access to a Yahoo account I hadn’t used in almost five years. Yahoo’s forgot password feature let me enter a phone number, and after entering a code sent to my phone I was able to read my email.

So, if that Yahoo account is tied to a mobile number that you can receive text messages at, then you can assume control over the account. And every other account associated with that Yahoo account. Even if that phone number no longer belongs to the person who originally established the email account.

This is exactly what happened recently to a reader who shared this account:

A while ago I bought a new phone number. I went on Yahoo! mail and typed in the phone number in the login. It asked me if I wanted to receive an SMS to gain access. I said yes, and it sent me a verification key or access code via SMS. I typed the code I received. I was surprised that I didn’t access my own email, but the email I accessed was actually the email of the previous owner of my new number.

Yahoo! didn’t even ask me to type the email address, or the first and last name. It simply sent me the SMS, I typed the code I received, and without asking me to type an email or first and last name, it gave me access to the email of my number’s PREVIOUS OWNER. Didn’t ask for credentials or email address. This seriously needs to be revised. At minimum Yahoo! should ask me to type the email address or the first and last name before sending me an SMS which contains an access code.

Brian Krebs (BK): You have your own experiences like this. Or sort of. You tell.

Allison Nixon (AN): Any threat intelligence company will have some kind of business function that requires purchasing burner phones fairly frequently, which involves getting new phone numbers. When you get new numbers, they are recycled from previous owners because there probably aren’t any new ones anymore. I get a lot of various text messages for password resets. One I kept getting was texts from this guy’s bank. Every time he got a deposit, I would get a text saying how much was deposited and some basic information about the account.

I approached the bank because I was concerned that maybe this random person would be endangered by the security research we were going to be doing with this new number. I asked them to take him off the number, but they said there wasn’t anything they could do about it.

One time I accidentally hijacked a random person’s account. I was trying to get my own account back at an online service provider, and I put a burner phone number into the site, went through the SMS password reset process, got the link and it said ‘Welcome Back’ to some username I didn’t know. Then I clicked okay and was suddenly reading the private messages of the account.

I realized I’d hijacked the account of the previous owner of the phone. It was unintentional, but also very clear that there was no technical reason I couldn’t hijack even more accounts associated with this number. This is a problem affecting a ton of service providers. This could have happened at many, many other web sites.

BK: We weren’t always so tied to our phone numbers, right? What happened?

AN: The whole concept of a phone number goes back over a hundred years. The operator would punch in a number you know was associated with your friend and you could call that person and talk to them. Back then, a phone wasn’t tied any one person’s identity, and possession of that phone number never proved that person’s identity.

But these days, phone numbers are tied to peoples’ identities, even though we’re recycling them and this recycling is a fundamental part of how the phone system works. Despite the fact that phone number recycling has always existed, we still have all these Internet companies who’ve decided they’re going to accept the phone number as an identity document and that’s terrible.

BK: How does the phone number compare to more traditional, physical identity documents?

AN: Take the traditional concept of identity documents — where you have to physically show up and present ID at some type of business or office, and then from there they would look up your account and you can conduct a transaction. Online, it’s totally different and you can’t physically show your ID and can’t show your face.

In the Internet ecosystem, there are different companies and services that sell things online who have settled on various factors that are considered a good enough proxy for an identity document. You supply a username, password, and sometimes you provide your email address or phone number. Often times when you set up your account you have some kind of agreed-upon way of proofing that over time. Based on that pre-established protocol, the user can log in and do transactions.

It’s not a good system and the way the whole thing works just enables fraud. When you’re bottlenecked into physically showing up in a place, there’s only so much fraud you can do. A lot of attacks against phone companies are not attacking the inherent value of a phone number, but its use as an identity document.

BK: You said phone number recycling is a fundamental part of how the phone system works. Talk more about that, how common that is.

AN: You could be divorced, or thrown into sudden poverty after losing a job. But that number can be given away, and if it goes to someone else you don’t get it back. There all kinds of life situations where a phone number is not a good identifier.

Maybe part of the reason the whole phone number recycling issue doesn’t get much attention is people who can’t pay their bills probably don’t have a lot of money to steal anyways, but it’s pretty terrible that this situation can be abused to kick people when they’re down. I don’t think a lot of money can be stolen in this way, but I do think the fact that this happens really can undermine the entire system.

BK: It seems to me that it would be a good thing if more online merchants made it easier to log in to their sites without using passwords, but instead with an app that just asks hey was that you just now trying to log in? Yes? Okay. Boom, you’re logged in. Seems like this kind of “push” login can leverage the user’s smart phone while not relying on the number — or passwords, for that matter.

If phone numbers are bad, what should we look to as more reliable and resilient identifiers?

AN: That’s something I’ve been thinking a lot about lately. It seems like all of the other options are either bad or really controversial. On the one hand, I want my bank to know who I am, and I want to expose my email and phone number to them so they can verify it’s me and know how to get in touch with me if needed. But if I’m setting up an email account, I don’t want to have to give them all of my information. I’m not attached to any one alternative idea, I just don’t like what we’re doing now.

For more on what you can do to reduce your dependence on mobile phone numbers, check out the “What Can You Do?” section of Hanging Up on Mobile in the Name of Security.

Update, March 18, 1:25 p.m. ET: On March 14, Google published instructions describing how to disable SMS or voice in 2-step verification on G Suite accounts.

Tags: , ,

82 comments

  1. As mentioned above; Scandinavia (or at least Sweden) have a system that is harder to crack. On the other hand, we have a much smaller economy with far fewer banks to trust…

    To open a bank account (and e-banking) you have to show up in person and verify identity with physical ID-card. Most banks use some type of 2FA for login, either one-time use codes from scratch cards, code generating hardware, card readers that read chip based ID-cards or similar.

    Once on the inside, the bank can issue a Bank-ID for use on your device together with a code. https://www.bankid.com/en/

    If you change device you need to re-issue a Bank-ID via your bank. And, they have a limited lifetime before they are rendered invalid.

    The system is in wide spread use by business, finance and government. You can even do your tax returns with Bank-ID as ID-verification.

    The system is not totally secure of course, in fact there are quite a lot of social engineering attacks going on, but it seems a better system than the totally unsecure way of using phone numbers as validation of identity.

  2. I think its best to get a pager cause it can be
    Paid for a long time and will never disconnect

  3. Telephony technology has changed significantly over the last 30 years. However legacy assumptions have not fully caught-up. The North American PSTN (public switched telephone network) was traditionally a centrally controlled, limited access network. Being a hardwired network, the phone number was tightly controlled and was the actual address of a physical location which could could be step-wise “walked” to the destination. Now, the network is (for the most part) a digital packet switched network, with phone numbers being a virtually routed address at best, and phone number ownership a matrix of relationships. In this current environment phone numbers should be carefully used and verified, and treated more like IP addresses. I blame some of the issues discussed in your article on the telephone companies that provision these phone numbers. They are the owners of these “addresses” and the only entities that know the end-point being addressed. They should take some responsibility for how accurate phone numbers are. Without some rudimentary real-time method to verify a phone number is active and has not recently changed “hands”, those that rely on the phone number have no way to trust it. Laws like the Telephone Consumer Protection Act (TCPA) attempt to help the consumer but put much of the burden on the caller. The owners of the numbers should be required to provide tools to allow those who rely on the phone number to abide by the law.

  4. Only idiots use ‘free’ email services like gmail, yahoo, etc. One needs to pay a fee (or operate one’s own email server) and ideally register your own email domain – to make it portable to other platforms. (And the domain registration needs to be well locked down).

    • So, Rick, if one starts paying to Google fee (for e.g. G-Suite), would that resolve your concern? If so, could you elaborate, please?

    • Not So Slick Rick

      Just to clarify, are you suggesting the normal average Joe user does this? If so, I have some follow questions:

      1.) Who do you think you are?
      2.) What gives you the right?

      I hate so much of what you choose to be, Rick.

  5. Yet another Dongle

    I note that the old ‘ask some questions’ routine has popped up. In its defence, I keep a register of unusual answers. For example a person that has been through an unpleasant marriage breakup might list where they had their honeymoon as ‘Hades’, or their first car might be a roller skate.

    Of course, most people answer honestly which means their answers are probably obtainable on line. What’s my Mother’s Maiden name? The correct answer is easily found. My Answer, ahem, not so much. My first pet? probably discoverable, but not the answer I record.

    Nevertheless, that requires a register (that is encrypted) because I can’t remember all the wild responses. Not many are prepared to do that. It’s not a satisfactory situation.

    • “One of the problems of successful lying is that it’s hard work.”

    • Chuck van der Linden

      The trick is to use the ‘real’ answer as a mental trigger to your answer..

      For example if the model of your first car was a Mustang, your answer might be “For Pony!”

      Not perfect, as it does run a risk if security answers are breached on a site.

      To be safer you’d need different answers at every site, and that does require some kind of register such as an encrypted doc in a password store.. Still a risk but at least you’ve reduced it to how you maintain that document.

      (note: potentially a good idea to have one or two trusted family members know about that doc, in the event you are incapacitated or killed and someone else needs to gain access to those accounts. )

  6. This is why I have 1-time codes printed out on paper stashed away in a safe place. If I ever lose my phone, I can get back into the account without access to SMS or an authenticator app.

  7. My adult son “lost” his phone number and phone because his separated wife “bricked his iPhone by reporting it “stolen” or lost. She had control of the family’s Verizon account and my son could not gain access without a court order. The marital judge heard the complaint but would not deal with the issue.
    My son lost both his phone number and his phone and access to his 2Fa texts, etc. It was terrible and avoidable if any good will was involved.

  8. Not only a matter of privacy, but also of being practical. Paypal only accepts numbers from the country your account is from. I had a lot of headache when I moved from Spain to Italy…

    I cancelled my Spanish number and, surprise, wasn’t able to access my Spanish paypal account anymore. And good luck trying to reach customer service, they were not able to help me. I almost lost a few hundred euros. Now, I’m spending some time in another country, but had to keep my Italian number just so Paypal won’t screw me again.

  9. It also doesn’t help when many major online social/media sites ASSUME a 1-to-1 of phone numbers and individuals when registering (or “verifying”) your account. So if you want to use a shared phone for two (or more) legitimate separate accounts in a short period, you’re out of luck. Just 20 years ago, it probably wasn’t uncommon for single [land line] phone to be used by 2-4 people, and some still do.

    What’s worse is when online account verification allow you to use voice instead of SMS, which I expect is for non-mobile users (i.e. land lines or other common household phone, like VoIP service). So they simultaneously support such phones while assuming they are 1-to-1, despite knowing such phones are typically multi-user.

  10. I’ve got a new phone number, downloaded Whatsapp and got all private communications from a previous user in it!
    I deleted whatsapp from my phone and never wish to use it.

  11. The use of phone numbers as persistent identifiers is a huge privacy problem that my colleagues and I are studying. We’re currently conducting a survey to collect negative experiences related to phone numbers. If anyone has similar stories to the ones in the post, we’d love to hear them!

    https://umich.qualtrics.com/jfe/form/SV_bHMnNQK0ranAnHL

  12. I wonder why nobody has mentioned the W3C WebauthN yet. With it finalized, there is an alternate way of authenticating people without passwords or phonenumbers.

    Provided a site implements the necessary WebAuthN Steps, you can register a Mobile or Hardware Token with which you are able to (even pseudonymly) authenticate at a site.

    Registering more than one token then allows authentication backups that are much much more secure than Security Questions or SMS Communication.

    And Joe Doe Users will probably grasp the concept quite fast, because the metaphor of a simple doorlock key is working quite well on this.

  13. Oh, now I see it actually has been mentioned several times. Direct and indirectly (FIDO, Fingerprint,…).

    Yes it is a technical solution (like using mobile for 2FA is) and does cost the User a bit.

    But the costs also mean that creating fake accounts does have an upper limit.

  14. Similar things happen with email addresses. There are many airlines, banks, credit card companies, insurance companies, financial companies and many other companies that do not verify email addresses. And email addresses can be reused in many places.

    I have a simple email address: first initial, last name at gmail. I get at least 3 or 4 emails PER DAY for someone else because these companies haven’t confirmed the email address and someone, somewhere typed it incorrectly (or didn’t know that their own email address is first initial, last name plus some number). I’ve had email from American Express, Intuit (about someone else’s tax return being accepted), Walmart, airlines, car rental places, wifi hotspots at many airports, doctors to their patients, a half dozen banks etc. who are meant to be going somewhere else. Stores in the US, UK, and many other countries around the world.

    Most have:
    1. No way to report this.
    2. No way to unsubscribe.

    I treat them as spam or phishing when there is no easy way to report them and then let their phishing and spam people deal with them.

    For the doctors that might have HIPAA violations, I try to cc the office on the spam reports.

    The people involved in these entities’ security departments are way behind the curve.

Leave a comment


#####EOF##### Are Credit Monitoring Services Worth It? — Krebs on Security

19
Mar 14

Are Credit Monitoring Services Worth It?

In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America.

Experian 'protection' offered for Target victims.

Experian ‘protection’ offered for Target victims.

Having purchased credit monitoring/protection services for the past 24 months — and having been the target of multiple identity theft attempts — I feel somewhat qualified to share my experience with readers. The biggest takeaway for me has been that although these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity. My take: If you’re being offered free monitoring, it probably can’t hurt to sign up, but you shouldn’t expect the service to stop identity thieves from ruining your credit.

Avivah Litan, a fraud analyst at Gartner Inc., said offering credit monitoring has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud).

“These are basically PR vehicles for most of the breached companies who offer credit report monitoring to potentially compromised consumers,” Litan said. “Breached companies such as Target like to offer it as a good PR move even though it does absolutely nothing to compensate for the fact that a criminal stole credit card mag stripe account data. My advice for consumers has been – sure get it for free from one of the companies where your data has been compromised (and surely these days there is at least one).  But don’t expect it to help much – by the time you get the alert, it’s too late, the damage has been done.  It just shortens the time to detection so you may have a slightly improved chance of cleaning up the damage faster.  And you can get your credit reports three times a year from the government website for free which is almost just as good so why pay for it ever?”

FRAUD ALERT BREAKDOWN

Normally, I place fraud alerts on my credit file every 90 days, as allowed by law. This step is supposed to require potential creditors to contact you and obtain your permission before opening new lines of credit in your name. You merely need to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union). Whichever one you file with is required by law to alert the other two bureaus as well.

Most consumers don’t know this (few consumers know the names of the three main credit bureaus), but there is actually a fourth credit bureau that you should alert: Innovis. This bureau follows the same rules as the big three, and you may file a fraud alert with them at this link.

Fraud alerts last 90 days, and you can renew them as often as you like (a recurring calendar entry can help with this task); consumers who can demonstrate that they are victims or are likely to be victims of identity theft can apply for a long-term fraud alert that lasts up to 7 years (a police report and other documentation may be required).

I’m not sure what happened last year, but I believe some fraudsters managed to apply for credit in my name right after my 90-day fraud alert had expired. In any case, I received a call from AllClearID (formerly Debix), a credit monitoring service that I’ve used for nearly two years now. AllClearID called to tell me someone had made several applications for credit with Capital One.

AllClearID quickly conferenced in a representative from Capital One’s fraud team, but Capital One wouldn’t tell us anything about the application unless I gave them every piece of information about me they didn’t already have. We went round and round with Capital One for hours about this, but got nowhere; I refused to hand over more personal information just to prove to them I wasn’t the one who made the application, and each new representative we spoke with made us retell the story from the beginning.

In all, I had several fraudulent applications for credit in my name, and while none of them were granted, each resulted in a “hard pull” against my credit file. Anytime a creditor pulls your credit file for the purposes of checking an application for new credit, it dings your credit score down a few notches. And as Evan Hendricks writes in his primer on the credit industry (Credit Scores & Credit Reports: How the System Really Works, and What You Can Do), “the worse your credit score, the more you pay for mortgages, loans, credit cards, and insurance. Conversely, the better your credit score, the more favorable terms you will get on interest rates and premiums.”

Unfortunately, another thing that often happens with fraudulent applications is that thieves use only part of your real information — mixing your name and Social Security number with an alternate address, for example. This is what happened on two of the fraudulent applications for credit in my name, with the result that this incorrect data was added to my credit file.

AllClearID has been tremendously professional, and quickly alerted me each time Capital One pulled my credit file. But the company could do nothing to stop creditors from pulling my file, or fraudsters from making new applications in my name. The biggest help they’ve been so far is in getting Capital One to remove the fraudulent (score-dinging) credit pulls from my file, and in scrubbing the fraudulent data from my credit file (actually, that part is ongoing: Trans Union has steadfastly ignored requests to remove bogus addresses on my file, necessitating AllClear’s filing of an official complaint with the Consumer Financial Protection Bureau).

I asked several experts that I trust for their views on credit monitoring services in general, and to explain their benefits and weaknesses. I also wanted to know why none of the credit monitoring services will offer to renew 90-day fraud alerts on behalf of customers.

Julie Ferguson, a board member of the Identity Theft Resource Center, said a lawsuit by Experian against Lifelock effectively killed that service for virtually all credit monitoring services, with the exception of Equifax.

“After Experian sued Lifelock, none of the banks wanted to distribute and sell it as a service,” Ferguson said. “Equifax will still. Nobody else does anymore, not even Experian.”

Ferguson also stressed that there are varying levels of protection services offered by the credit bureaus and private companies, and that although many of them are priced similarly ($10-$15 per month), they vary widely in the services they provide.

Take, for example, the ProtectMyID package that Experian contracted with Target to offer customers following last year’s massive data breach. The service will monitor your credit report daily and alert you of any changes, and includes up to $1 million in identity theft protection insurance. The service also offers users a fraud resolution agent if identity theft does surface, and it provides a free copy of the user’s credit report (Experian is required by law to provide a free copy of your credit report each year anyway, via annualcreditreport.com). Those who sign up for the free service still have to pay extra to see a copy of their credit scores.

“The ‘protection’ provided by these services is really all over the map once you delve into the services they provide,” Ferguson said. “Some will give you credit monitoring only on one credit bureau, while others will monitor your file at all three.”

Avivah Litan, a fraud analyst with Gartner Inc., rattled off a long list of reasons why credit monitoring services aren’t much use to most consumers.

-Most won’t tell you if a new wireless or cable service has been taken out in your name.

-They do nothing to monitor your bank account transactions, credit card accounts (for fraudulent charges), retirement accounts, brokerage accounts, loyalty accounts and more. And these are all areas where consumers should be very concerned about account takeover.

-They do nothing to tell you if a bad guy has hijacked your identity for non-financial purposes, i.e. to get a new driver’s license, passport or other identity document.  Of course a bad guy impersonating a consumer using a forged identity document can end up in prison, causing lots of problems for the victim whose identity was hijacked.

-They do nothing to stop tax fraud (typically tax refund fraud) against you.  Same is true for other government benefit programs, i.e. medicare fraud, Medicaid fraud, welfare fraud, and Social Security fraud.

“In short, they only give consumers limited help with a very small percentage of the crimes that can be inflicted on them,” Litan said. “And consumers can get most of that limited help for free via the government website or free monitoring from a breached entity where their data inevitably was compromised.”

DO THESE SERVICES HELP AT ALL?

“They help if it’s too hard for you to look through your free credit report and make sense of all the activity in it,” Litan said. “Also they can alert you faster than the free credit report does, depending on timing of the infraction and when you look at your free credit report.”

Litan added that some services — such as Lifelock — have a few extra bells and whistles. For example, Lifelock sometimes gets information (such as from the Early Warning System) when profile information on your bank account has changed (e.g. change of address).

“They also have access to most mobile carrier account application data,” Litan said. “Equifax has some extra utility company data.  So, some of these firms have access to some extra data than can help in other scenarios.”

While most plans offer identity theft insurance — usually advertised as up to $1 million — most of that is coverage consumers already have under existing laws and Visa/MC zero liability rules, Litan says.

“On top of that they reimburse ID theft victims for some legal fees and some minor expenses like postage stamps,” Litan said. “But if someone takes out a mortgage in your name and now you owe the bank $100k or more – nobody covers that, and that’s what they need to cover.”

Ferguson said credit monitoring services are most useful for people who have already been victimized or for those who are likely to be victimized (by an jilted spouse/lover, or stalker, for example). For those individuals, it makes sense to purchase a plan that offers triple credit bureau monitoring for maximum protection. The main downside of this approach is that a fraudulent application for credit can result in a deluge of alerts, emails and phone calls from all three bureaus simultaneously.

ALTERNATIVES TO CREDIT MONITORING

As mentioned above, placing a fraud alert on your credit file every 90 days is the cheapest (as in free) way to block creditors from granting new lines of credit in your name, and from unnecessarily dinging your credit score.

You are entitled to a free copy of your credit report from each of the three major credit bureaus annually. The only site you need to obtain this free copy is annualcreditreport.com, or by phone via 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring.

If you have been the victim of identity theft, or if you don’t anticipate needing to take out a loan or apply for new lines of credit anytime soon and you’d rather not deal with fraud alerts, placing a freeze on your credit file may be the smarter option.

A security freeze gives consumers the choice to “freeze” or lock access to their credit file against anyone trying to open up a new account or to get new credit in their name. As Consumers  Union writes, “when a security freeze is in place at all three major credit bureaus, an identity thief cannot open a new account because the potential creditor or seller of services will not be able to check the credit file. When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed.”

Forty-nine states and the District of Columbia now have laws on the books allowing consumers to freeze their credit (Michigan is the holdout). Many of these laws allow the placement of a freeze for free if the consumer has a police report documenting an identity theft episode; for those without an ID theft scare notched on their belt, most states allow for the placement of a freeze for a $10 fee. See this site for more details on the various state freeze laws and instructions on how to obtain them.

Consumers also can reduce their exposure to identity theft by opting out of unsolicited credit card or insurance offers. Doing this, via www.optoutprescreen.com, or 888-5OPT-OUT, should block most unsolicited applications and reduce the incidence of identity theft. Doing so removes your name, address and personal identifiers from lists supplied by the Equifax, Experian, TransUnion and Innovis credit reporting agencies that are used for preapproved and pre-screened offers of credit or insurance.

Tags: , , , , , , , , , , , , , , , , ,

146 comments

  1. I used to have an account with AllClearId (formerly Debix) when the price was a reasonable $10 per year or so, but I dropped it because the price increased to a very unreasonable $8/month and because I realized after I had refinanced a mortgage that the company had done absolulely nothing during the process to warn me that new credit was being established in my name. About a month later my cell phone rang asking me if I had opened a mortgage, and at that point the damage would have already been done.

    Consumer Reports recommended this year against using any credit monitoring service for this exact reason. You can accomplish the same thing for free by spreading out your free credit reports to once every four months and removing your name from the pre-screen opt out list.

    • Although I totally agree with you, and that is how I used to do it – I decided to go with a service from my password management company, because they have built a solid reputation for closely monitoring the security of their servers, and I wasn’t as nervous at having my information there. Also they encrypt everything just in case there was a breach. I get absolutely instantaneous alerts from them right at my computer desktop! I once applied for a loan at the bank and 15 minutes after I got home the alert popped up detailing what, when, and where the requesting agency made the credit inquiry. So far I’ve never been let down by LastPass, going on two years now. I was also able to look at any addresses I’d supposedly lived at, and vetted those as well.

      You can take advantage of the free product as well, which may be the smartest way to go ever. They will alert you to changes, then they even recommend you can contact the reporting services for free, just as you have detailed, but in this scheme you would get timely information, and not waste any free reports until needed. That is the way I see it – maybe someone could read the agreement further and suggest corrections to my understanding here:

      https://lastpass.com/creditmonitoring.php?cmd=showterms

  2. Equifax, no problem, experian would not allow me to place a freeze on our names for me or my husband and there is no way to talk to a person, live on the phone. Does anyone know how to either get a hold of esperian or why they would not allow us to place a security freeze on our lives?

    • Others have written good advice on freeze information here, but I have read it can be hard to get anything done, especially with Experian. I bet if you sent a letter they’d have to respond.

      Experian
      P.O. Box 9556
      Allen, TX 75013

      Send all mail CERTIFIED. Certified mail cannot easily be ignored. And send copies, never originals, of all documents.

      Usually if the online process doesn’t work it will redirect you to a page that you can print out, with the forms you need. I’ve never done this for a credit freeze though, but I would think there would also be a choice in this process online.

    • In his article above he states” Normally, I place fraud alerts on my credit file every 90 days, as allowed by law. This step is supposed to require potential creditors to contact you and obtain your permission before opening new lines of credit in your name. You merely need to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union). Whichever one you file with is required by law to alert the other two bureaus as well.”
      If this is true it would seem you would not have to contact Experian directly to get it with them as well. At least that is how I interpret it.

      • Freeze != fraud alert. You can’t enact a freeze with all three bureaus by just alerting one. You need to file a freeze request with all, and any unfreeze requests on individual basis.

    • Send a certified letter, they are legally required to do so.

  3. This article from Mr. Krebs brings up a number of interesting questions in addition to the one that the title poses (are credit monitoring services worth it?). One that I think most salient, right on the back of the huge Target breach, is whether the current approach taken by companies in responding to a data breach effective for the affected individuals?

    Now let’s consider that there are multiple factors at play in crafting a data breach response strategy. There are regulatory mandates based on state data breach notification laws, and in some cases federal regulations, that require notification of the affected population and have something to say about what content must be included in the notification. Then there is, in many cases, an offer of a free identity protection product (most typically credit monitoring) for some period of time (typically no less than one year) which is done voluntarily by the breached organization.

    As Avivah Litan from Gartner, Inc. notes, the offer of credit monitoring has become a “defacto public response” to a data breach and that this can be done as much or more for “PR” purposes in intent, rather than a result of thoughtfully consideration as to whether this is the most efficacious offering for addressing the potential harms to the affected individuals. Which gets back to the title question as to “are credit monitoring services worth it?”

    I generally agree with Mr. Krebs that “it probably can’t hurt”. It’s like taking your vitamins when you feel like you may be coming down with a cold. They might help. They aren’t the only way for you to get those nutrients, you could always eat healthier and drink a lot of orange juice for extra vitamin C, but it might make you feel just a little better knowing that you’re doing something to address this new risk.

    So given this, two things where I’d like to suggest some food for thought. First, should legislators do more to ensure consumer protection in cases of malicious data breaches? If offering credit monitoring has become “defacto”, and if it isn’t very efficacious, should more or something different be required? Some in the industry have suggested that a more effective solution would be to provide identity restoration services. Rather than using credit monitoring to provide a late, early-warning indicator, maybe consumers would be better off with services to help them out if/when they become a victim of identity theft? (full disclosure: my company, ID Experts, provides fully managed identity restoration services)

    And second, there is the nagging question in the back of my mind as to whether I’m comfortable giving Experian more information about me. By signing up for their credit monitoring, they how have a valid email address and phone number for me. And they also have my permission to send me emails encouraging me to “buy extra stuff”. I’m certain to get offers to upgrade my service and to sign up to pay for service once the free offering period expires. Maybe of even greater concern to me, though, is that Experian is in the business of selling information about me to other companies that want to market “their stuff” to me, among other things.

    So this question of what an organization should do for individuals when they’ve exposed personal information about them in a data breach has many tentacles. Unfortunately no simple answers.

  4. Excellent article. Exposes much of the reality surrounding monitoring products and why the average consumer is so utterly confused and misinformed. For the reasons stated in this article, and many more, our firm’s core belief is complete identity theft resolution for all types of identity theft/fraud. When the circumstance of identity theft strikes (and it will strike all of us) we take charge, stop the thieves cold and fully resolve all issues whether it takes two hours or two years. We do this not only for our Members, but also for any relative residing in the Member’s household. It’s an incredible Program, 24/7/365 World-Wide. Why would you pay for something that does not fix the problems? We already know monitoring products are expensive and mostly ineffective. It would be like buying car insurance that tells you that you just had an accident but is only going to fix a portion of your car…you have to fix the rest yourself. Is that something you should pay for? Check us out @ http://www.guardwellid.com We are growing exponentially because we do what we say we are going to do and we do it very well. We protect families, not just individuals.

  5. I’m curious about everyone’s thoughts on monitoring/protecting children? Is this something that should be started at birth? I’d be interested to hear any stories out there.

  6. Blanche Dubois

    The market for Credit Monitoring Services (CMS) should determine whether subscribing to any CMS that covers one Credit Reporting Agency (CRA) given that there are 3 others, is useful as to comprehensibility, posting and reporting, timeliness, and cost. But “market” means fully informed buyers and sellers, negotiating on a standardized product. Most CMS buyers are ill-informed if not ignorant of the crucial details of the entire loan underwriting process, and the CMS sellers hype bells and whistles for a very marginal service.
    Even using such a marginal service (“gee, it’s free from Target/Neiman’s, it can’t hurt”) helps delude the post-breach victim that he’ll get real defense with the core threat, the theft of his Critical Personal Identifying Info’s 4 elements (SSN, DOB, drivers license #, name), and his CPII’s mis-use.

    I am not interested in being notified long after the fact of CPII compromise and New Account fraud, by a CMS cheerleader, and then trying to swab up the financial blood on the floor.
    I am interested in PREVENTING the download of my CR to any NEW lender by a CPII thief, even if my CPII was previously compromised by my dentist’s admin assistant needing some ready cash, armed only with a flash drive; or an SQL insertion into my bank or his processor; or me handing my CPII to a “street entrepreneur” holding a gun; or me losing a wallet; or my (previously unknown) now gambling-addicted cousin rifling my financial cabinets during our annual family Thanksgiving dinner.

    That kind of CR download prevention protection is available only from a Security Freeze.
    It is definitely NOT available from a 90 day FA or a 7 year EFA, equally as marginal as CMS.

    What you will spend ANNUALLY for CMS services, you can spend ONE TIME, for a lifetime Security Freeze at each of the four CRAs.
    For your own NEW Credit applications, the Freeze can be lifted 15 minutes after your phone call with your PIN, to a dedicated CRA telephone line for a time specific period. You can get a Security Freeze for your baby, or your adult, but disabled child, or Alzheimered grandma; all stellar CPII theft candidates, along with you. This is 2014.

    FYI: Loan Underwriting Process
    When adverse data is posted on a CPII victim’s CRA Credit Report, it is long after the fact of:
    a) when the ID thief submitted a loan application with the victim’s stolen CPII;
    b) when the lender vetted the application (“CR pull”); and
    c) granted the loan funds to the thief under stolen CPII (“same day loan service?”). Alas, the new loan’s existence will not be reported to the lender’s CRA until the usual date he sends off his “monthly loan performance tapes” to the CRA (1-30 days after loan funds granted);
    d) when that loan went into “arrears”, and after its “late period” (after another 30-45 days);
    e) when the lender reported that arrears to the CRA (see monthly loan performance tapes);
    f) when the CRA got around to posting the adverse data to its CR database (5-10 days), and only then does the victim’s Credit Score really tank;
    g) when the CMS service got around to sending a “Credit Score tank” email advisory to its client (only if the CMS is using that lender’s CRA’s database; delayed further if the CMS is using one of the other three);
    h) when the victim properly interprets steps b) through g) and its meaning for him, whilst keeping his facebook account current and other charming aspects of 2014 tech life.
    Did you follow all that and the players, time, and sequence involved?

    However, there were two lender reported clues (one is murky) to the CRA early in the process that, had they been interpreted properly by the victim alone or his surrogate, would have informed both that his CPII had been compromised. But even if both clues were understood, it would not have ameliorated either the damage or the victim’s lengthy and costly repair effort. Those early points are b) and c) above, separated by 15-30 days.
    Point b) would have been recorded as a “CR pull” at one of the four CRAs that the lender uses. Whether a New lender’s pull would have set off any alarm is problematic, as the victim’s existing lenders routinely do a CR pull (“inquiry”) as a legitimate part of existing loan risk management. New and existing lenders’ “pulls” are reported in the same section of the CR. To add further confusion/murky to that section, some legitimate lenders’ marketers may pull a “credit header” (top of the CR) which that CRA may or may not post as an “inquiry”. By itself, one inquiry has no effect on the Credit Score. A series of them within 45 days should, but not with the sheer tanking effect of an “arrears” post.
    Point c) When the New loan was posted to the victim’s CR at the CRA, assuming the CMS noted it, did the victim understand what this meant? Even if he did, the thief has had his stolen funds for at least 3-10 weeks and a head start. A knowledgeable consumer helps, but what does he do with these CMS alerts when he’s on vacation or out of the country, or if/when the ID thief also compromised his CMS notification email account? Hmmmm.
    (The Target breach involved 70 million email accounts, which is gravy sold separately from the stolen PII and 40 million credit cards, by the thieves. Hmmmm.)
    When a CMS says he’ll “stop ID thieves cold”, put your hand on your wallet.
    The CRA sloppiness described above and CMS “services” should be low hanging fruit to the CFPB, but they’ve got their hands full fighting pseudo “over reach claims” from the Hill, pushed by bank and credit union lobbyists. But I digress.

    What won’t a Security Freeze stop?
    An illegal alien buying my compromised CPII and using it to get a job in Utah, and registering to vote in many states and DC, for openers.
    But at least I’ll learn about the job compromise when the IRS charges that I deliberately under-reported my income from a chicken chopper job in Utah and they have the W-2 to prove it. Right.
    If your CPII is compromised, you will become intimately acquainted with affidavits and notaries. Did I say this is 2014?
    CPII compromise and data security today is a race without a finish line. Prevent what you can prevent, with a Security Freeze. (Disclosure: I don’t sell them.)


#####EOF##### Tax Refund Fraud — Krebs on Security

Tax Refund Fraud


19
Jul 18

Human Resources Firm ComplyRight Breached

Cloud-based human resources company ComplyRight said this week that a security breach of its Web site may have jeopardized sensitive consumer information — including names, addresses, phone numbers, email addresses and Social Security numbers — from tax forms submitted by the company’s thousands of clients on behalf of employees.

Pompano Beach, Fla-based ComplyRight began mailing breach notification letters to affected consumers late last week, but the form letters are extremely vague about the scope and cause of the breach. Indeed, many readers who received these letters wrote to KrebsOnSecurity asking for more information, as the company hadn’t yet published any details about the breach on its Web site. Also, most of those folks said they’d never heard of ComplyRight and could not remember ever doing business with a company by that name.

Neither ComplyRight nor its parent company Taylor Corp. responded to multiple requests for comment this past week. But on Wednesday evening, ComplyRight posted additional facts about the incident on its site, saying a recently completed investigation suggests that fewer than 10 percent of individuals with tax forms prepared on the ComplyRight platform were impacted.

According to ComplyRight’s Web site, some 76,000 organizations — many of them small businesses — use its services to prepare tax forms such as 1099s and W2s on behalf of their employees and/or contractors. While the company didn’t explicitly say which of its cloud services was impacted by the breach, the Web site which handles its tax preparation business is efile4biz.com.

ComplyRight says it learned of the breach on May 22, 2018, and that the “unauthorized access” to its site persisted between April 20, 2018 and May 22, 2018. Continue reading →


16
Apr 18

Deleted Facebook Cybercrime Groups Had 300,000 Members

Hours after being alerted by KrebsOnSecurity, Facebook last week deleted almost 120 private discussion groups totaling more than 300,000 members who flagrantly promoted a host of illicit activities on the social media network’s platform. The scam groups facilitated a broad spectrum of shady activities, including spamming, wire fraud, account takeovers, phony tax refunds, 419 scams, denial-of-service attack-for-hire services and botnet creation tools. The average age of these groups on Facebook’s platform was two years.

On Thursday, April 12, KrebsOnSecurity spent roughly two hours combing Facebook for groups whose sole purpose appeared to be flouting the company’s terms of service agreement about what types of content it will or will not tolerate on its platform.

One of nearly 120 different closed cybercrime groups operating on Facebook that were deleted late last week. In total, there were more than 300,000 members of these groups. The average age of these groups was two years, but some had existed for up to nine years on Facebook

My research centered on groups whose singular focus was promoting all manner of cyber fraud, but most especially those engaged in identity theft, spamming, account takeovers and credit card fraud. Virtually all of these groups advertised their intent by stating well-known terms of fraud in their group names, such as “botnet helpdesk,” “spamming,” “carding” (referring to credit card fraud), “DDoS” (distributed denial-of-service attacks), “tax refund fraud,” and account takeovers.

Each of these closed groups solicited new members to engage in a variety of shady activities. Some had existed on Facebook for up to nine years; approximately ten percent of them had plied their trade on the social network for more than four years.

Here is a spreadsheet (PDF) listing all of the offending groups reported, including: Their stated group names; the length of time they were present on Facebook; the number of members; whether the group was promoting a third-party site on the dark or clear Web; and a link to the offending group. A copy of the same spreadsheet in .csv format is available here.

The biggest collection of groups banned last week were those promoting the sale and use of stolen credit and debit card accounts. The next largest collection of groups included those facilitating account takeovers — methods for mass-hacking emails and passwords for countless online accounts such Amazon, Google, Netflix, PayPal, as well as a host of online banking services.

This rather active Facebook group, which specialized in identity theft and selling stolen bank account logins, was active for roughly three years and had approximately 2,500 members.

In a statement to KrebsOnSecurity, Facebook pledged to be more proactive about policing its network for these types of groups.

“We thank Mr. Krebs for bringing these groups to our attention, we removed them as soon as we investigated,” said Pete Voss, Facebook’s communications director. “We investigated these groups as soon as we were aware of the report, and once we confirmed that they violated our Community Standards, we disabled them and removed the group admins. We encourage our community to report anything they see that they don’t think should be in Facebook, so we can take swift action.” Continue reading →


11
Apr 18

When Identity Thieves Hack Your Accountant

The Internal Revenue Service has been urging tax preparation firms to step up their cybersecurity efforts this year, warning that identity thieves and hackers increasingly are targeting certified public accountants (CPAs) in a bid to siphon oodles of sensitive personal and financial data on taxpayers. This is the story of a CPA in New Jersey whose compromise by malware led to identity theft and phony tax refund requests filed on behalf of his clients.

Last month, KrebsOnSecurity was alerted by security expert Alex Holden of Hold Security about a malware gang that appears to have focused on CPAs. The crooks in this case were using a Web-based keylogger that recorded every keystroke typed on the target’s machine, and periodically uploaded screenshots of whatever was being displayed on the victim’s computer screen at the time.

If you’ve never seen one of these keyloggers in action, viewing their output can be a bit unnerving. This particular malware is not terribly sophisticated, but nevertheless is quite effective. It not only grabs any data the victim submits into Web-based forms, but also captures any typing — including backspaces and typos as we can see in the screenshot below.

The malware records everything its victims type (including backspaces and typos), and frequently takes snapshots of the victim’s computer screen.

Whoever was running this scheme had all victim information uploaded to a site that was protected from data scraping by search engines, but the site itself did not require any form of authentication to view data harvested from victim PCs. Rather, the stolen information was indexed by victim and ordered by day, meaning anyone who knew the right URL could view each day’s keylogging record as one long image file.

Those records suggest that this particular CPA — “John,” a New Jersey professional whose real name will be left out of this story — likely had his computer compromised sometime in mid-March 2018 (at least, this is as far back as the keylogging records go for John).

It’s also not clear exactly which method the thieves used to get malware on John’s machine. Screenshots for John’s account suggest he routinely ignored messages from Microsoft and other third party Windows programs about the need to apply critical security updates.

Messages like this one — about critical security updates available for QuickBooks — went largely ignored, according to multiple screenshots from John’s computer.

More likely, however, John’s computer was compromised by someone who sent him a booby-trapped email attachment or link. When one considers just how frequently CPAs must need to open Microsoft Office and other files submitted by clients and potential clients via email, it’s not hard to imagine how simple it might be for hackers to target and successfully compromise your average CPA.

The keylogging malware itself appears to have been sold (or perhaps directly deployed) by a cybercriminal who uses the nickname ja_far. This individual markets a $50 keylogger product alongside a malware “crypting” service that guarantees his malware will be undetected by most antivirus products for a given number of days after it is used against a victim.

Ja_far’s sales threads for the keylogger used to steal tax and financial data from hundreds of John’s clients.

It seems likely that ja_far’s keylogger was the source of this data because at one point — early in the morning John’s time — the attacker appears to have accidentally pasted ja_far’s jabber instant messenger address into the victim’s screen instead of his own. In all likelihood, John’s assailant was seeking additional crypting services to ensure the keylogger remained undetected on John’s PC. A couple of minutes later, the intruder downloaded a file to John’s PC from file-sharing site sendspace.com.

The attacker apparently messing around on John’s computer while John was not sitting in front of the keyboard.

What I found remarkable about John’s situation was despite receiving notice after notice that the IRS had rejected many of his clients’ tax returns because those returns had already been filed by fraudsters, for at least two weeks John does not appear to have suspected that his compromised computer was likely the source of said fraud inflicted on his clients (or if he did, he didn’t share this notion with any of his friends or family via email).

Instead, John composed and distributed to his clients a form letter about their rejected returns, and another letter that clients could use to alert the IRS and New Jersey tax authorities of suspected identity fraud. Continue reading →


23
Mar 18

San Diego Sues Experian Over ID Theft Service

The City of San Diego, Calif. is suing consumer credit bureau Experian, alleging that a data breach first reported by KrebsOnSecurity in 2013 affected more than a quarter-million people in San Diego but that Experian never alerted affected consumers as required under California law.

The lawsuit, filed by San Diego city attorney Mara Elliott, concerns a data breach at an Experian subsidiary that lasted for nine months ending in 2013. As first reported here in October 2013, a Vietnamese man named Hieu Minh Ngo ran an identity theft service online and gained access to sensitive consumer information by posing as a licensed private investigator in the United States.

In reality, the fraudster was running his identity theft service from Vietnam, and paying Experian thousands of dollars in cash each month for access to 200 million consumer records. Ngo then resold that access to more than 1,300 customers of his ID theft service. KrebsOnSecurity first wrote about Ngo’s ID theft service — alternately called Superget[dot]info and Findget[dot]mein 2011.

Ngo was arrested after being lured out of Vietnam by the U.S. Secret Service. He later pleaded guilty to identity fraud charges and was sentenced in July 2015 to 13 years in prison.

News of the lawsuit comes from The San Diego Union-Tribune, which says the city attorney alleges that some 30 million consumers could have had their information stolen in the breach, including an estimated 250,000 people in San Diego.

“Elliott’s office cited the Internal Revenue Service in saying hackers filed more than 13,000 false returns using the hacked information, obtaining $65 million in fraudulent tax refunds,” writes Union-Tribune reporter Greg Moran.

Experian did not respond to requests for comment.

Ngo’s Identity theft service, superget.info, which relied on access to consumer databases maintained by a company that Experian purchased in 2012.

In December 2013, an executive from Experian told Congress that the company was not aware of any consumers who had been harmed by the incident. However, soon after Ngo was extradited to the United States, the Secret Service began identifying and rounding up dozens of customers of Ngo’s identity theft service. And most of Ngo’s customers were indeed involved in tax refund fraud with the states and the IRS. Continue reading →


19
Feb 18

IRS Scam Leverages Hacked Tax Preparers, Client Bank Accounts

Identity thieves who specialize in tax refund fraud have been busy of late hacking online accounts at multiple tax preparation firms, using them to file phony refund requests. Once the Internal Revenue Service processes the return and deposits money into bank accounts of the hacked firms’ clients, the crooks contact those clients posing as a collection agency and demand that the money be “returned.”

In one version of the scam, criminals are pretending to be debt collection agency officials acting on behalf of the IRS. They’ll call taxpayers who’ve had fraudulent tax refunds deposited into their bank accounts, claim the refund was deposited in error, and threaten recipients with criminal charges if they fail to forward the money to the collection agency.

This is exactly what happened to a number of customers at a half dozen banks in Oklahoma earlier this month. Elaine Dodd, executive vice president of the fraud division at the Oklahoma Bankers Association, said many financial institutions in the Oklahoma City area had “a good number of customers” who had large sums deposited into their bank accounts at the same time.

Dodd said the bank customers received hefty deposits into their accounts from the U.S. Treasury, and shortly thereafter were contacted by phone by someone claiming to be a collections agent for a firm calling itself DebtCredit and using the Web site name debtcredit[dot]us.

“We’re having customers getting refunds they have not applied for,” Dodd said, noting that the transfers were traced back to a local tax preparer who’d apparently gotten phished or hacked. Those banks are now working with affected customers to close the accounts and open new ones, Dodd said. “If the crooks have breached a tax preparer and can send money to the client, they can sure enough pull money out of those accounts, too.”

Several of the Oklahoma bank’s clients received customized notices from a phony company claiming to be a collections agency hired by the IRS.

The domain debtcredit[dot]us hasn’t been active for some time, but an exact copy of the site to which the bank’s clients were referred by the phony collection agency can be found at jcdebt[dot]com — a domain that was registered less than a month ago. The site purports to be associated with a company in New Jersey called Debt & Credit Consulting Services, but according to a record (PDF) retrieved from the New Jersey Secretary of State’s office, that company’s business license was revoked in 2010.

“You may be puzzled by an erroneous payment from the Internal Revenue Service but in fact it is quite an ordinary situation,” reads the HTML page shared with people who received the fraudulent IRS refunds. It includes a video explaining the matter, and references a case number, the amount and date of the transaction, and provides a list of personal “data reported by the IRS,” including the recipient’s name, Social Security Number (SSN), address, bank name, bank routing number and account number.

All of these details no doubt are included to make the scheme look official; most recipients will never suspect that they received the bank transfer because their accounting firm got hacked.

The scammers even supposedly assign the recipients an individual “appointed debt collector,” complete with a picture of the employee, her name, telephone number and email address. However, the emails to the domain used in the email address from the screenshot above (debtcredit[dot]com) bounced, and no one answers at the provided telephone number.

Along with the Web page listing the recipient’s personal and bank account information, each recipient is given a “transaction error correction letter” with IRS letterhead (see image below) that includes many of the same personal and financial details on the HTML page. It also gives the recipient instructions on the account number, ACH routing and wire number to which the wayward funds are to be wired.

A phony letter from the IRS instructing recipients on how and where to wire the money that was deposited into their bank account as a result of a fraudulent tax refund request filed in their name.

Continue reading →


29
Jan 18

File Your Taxes Before Scammers Do It For You

Today, Jan. 29, is officially the first day of the 2018 tax-filing season, also known as the day fraudsters start requesting phony tax refunds in the names of identity theft victims. Want to minimize the chances of getting hit by tax refund fraud this year? File your taxes before the bad guys can!

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

According to the IRS, consumer complaints over tax refund fraud have been declining steadily over the years as the IRS and states enact more stringent measures for screening potentially fraudulent applications.

If you file your taxes electronically and the return is rejected, and if you were the victim of identity theft (e.g., if your Social Security number and other information was leaked in the Equifax breach last year), you should submit an Identity Theft Affidavit (Form 14039). The IRS advises that if you suspect you are a victim of identity theft, continue to pay your taxes and file your tax return, even if you must do so by paper.

If the IRS believes you were likely the victim of tax refund fraud in the previous tax year they will likely send you a special filing PIN that needs to be entered along with this year’s return before the filing will be accepted by the IRS electronically. This year marks the third out of the last five that I’ve received one of these PINs from the IRS.

Of course, filing your taxes early to beat the fraudsters requires one to have all of the tax forms needed to do so. As a sole proprietor, this is a great challenge because many companies take their sweet time sending out 1099 forms and such (even though they’re required to do so by Jan. 31).

A great many companies are now turning to online services to deliver tax forms to contractors, employees and others. For example, I have received several notices via email regarding the availability of 1099 forms online; most say they are sending the forms in snail mail, but that if I need them sooner I can get them online if I just create an account or enter some personal information at some third-party site.

Having seen how so many of these sites handle personal information, I’m not terribly interested in volunteering more of it. According to Bankrate, taxpayers can still file their returns even if they don’t yet have all of their 1099s — as long as you have the correct information about how much you earned.

“Unlike a W-2, you generally don’t have to attach 1099s to your tax return,” Bankrate explains. “They are just issued so you’ll know how much to report, with copies going to the IRS so return processors can double-check your entries. As long as you have the correct information, you can put it on your tax form without having the statement in hand.” Continue reading →


24
Nov 17

Name+DOB+SSN=FAFSA Data Gold Mine

KrebsOnSecurity has sought to call attention to online services which expose sensitive consumer data if the user knows a handful of static details about a person that are broadly for sale in the cybercrime underground, such as name, date of birth, and Social Security Number. Perhaps the most eye-opening example of this is on display at fafsa.ed.gov, the Web site set up by the U.S. Department of Education for anyone interested in applying for federal student financial aid.

Update, Nov. 28, 12:34 p.m. ET: The Education Department says not all of the data elements mentioned below are accessible on a FAFSA applicant if someone merely knows the static details about that person. Read on for their response to this story.

Original story:

Short for the Free Application for Federal Student Aid, FAFSA is an extremely lengthy and detailed form required at all colleges that accept and award federal aid to students.

Visitors to the login page for FAFSA have two options: Enter either the student’s FSA ID and password, or choose “enter the student’s information.” Selecting the latter brings up a prompt to enter the student’s first and last name, followed by their date of birth and Social Security Number.

Anyone who successfully supplies that information on a student who has applied for financial aid through FAFSA then gets to see a virtual colonoscopy of personal information on that individual and their family’s finances — including almost 200 different data elements.

The information returned includes all of these data fields:

1. Student’s Last Name:
2. Student’s First Name:
3. Student’s Middle Initial:
4. Student’s Permanent Mailing Address:
5. Student’s Permanent City:
6. Student’s Permanent State:
7. Student’s Permanent ZIP Code:
8. Student’s Social Security Number:
9. Student’s Date of Birth:
10. Student’s Telephone Number:
11. Student’s Driver’s License Number:
12. Student’s Driver’s License State:
13. Student’s E-mail Address:
14. Student’s Citizenship Status:
15. Student’s Alien Registration Number:
16. Student’s Marital Status:
17. Student’s Marital Status Date:
18. Student’s State of Legal Residence:
19. Was Student a Legal Resident Before January 1, 2012?
20. Student’s Legal Residence Date:
21. Is the Student Male or Female?
22. Register Student With Selective Service System?
23. Drug Conviction Affecting Eligibility?
24. Parent 1 Educational Level:
25. Parent 2 Educational Level:
26. High School or Equivalent Completed?
27a. Student’s High School Name:
27b. Student’s High School City:
27c. Student’s High School State:
28. First Bachelor’s Degree before 2017-2018 School Year?
29. Student’s Grade Level in College in 2017-2018:
30. Type of Degree/Certificate:
31. Interested in Work-study?
32. Student Filed 2015 Income Tax Return?
33. Student’s Type of 2015 Tax Form Used:
34. Student’s 2015 Tax Return Filing Status:
35. Student Eligible to File a 1040A or 1040EZ?
36. Student’s 2015 Adjusted Gross Income:
37. Student’s 2015 U.S. Income Tax Paid:
38. Student’s 2015 Exemptions Claimed:
39. Student’s 2015 Income Earned from Work:
40. Spouse’s 2015 Income Earned from Work:
41. Student’s Total of Cash, Savings, and Checking Accounts:
42. Student’s Net Worth of Current Investments:
43. Student’s Net Worth of Businesses/Investment Farms:
44a. Student’s Education Credits:
44b. Student’s Child Support Paid:
44c. Student’s Taxable Earnings from Need-Based Employment Programs:
44d. Student’s College Grant and Scholarship Aid Reported in AGI:
44e. Student’s Taxable Combat Pay Reported in AGI:
44f. Student’s Cooperative Education Earnings:
45a. Student’s Payments to Tax-Deferred Pensions & Retirement Savings:
45b. Student’s Deductible Payments to IRA/Keogh/Other:
45c. Student’s Child Support Received:
45d. Student’s Tax Exempt Interest Income:
45e. Student’s Untaxed Portions of IRA Distributions:
45f. Student’s Untaxed Portions of Pensions:
45g. Student’s Housing, Food, & Living Allowances:
45h. Student’s Veterans Noneducation Benefits:
45i. Student’s Other Untaxed Income or Benefits:
45j. Money Received or Paid on Student’s Behalf:
46. Student Born Before January 1, 1994?
47. Is Student Married?
48. Working on Master’s or Doctorate in 2017-2018?
49. Is Student on Active Duty in U.S. Armed Forces?
50. Is Student a Veteran?
51. Does Student Have Children He/She Supports?
52. Does Student Have Dependents Other than Children/Spouse?
53. Parents Deceased?/Student Ward of Court?/In Foster Care?
54. Is or Was Student an Emancipated Minor?
55. Is or Was Student in Legal Guardianship?
56. Is Student an Unaccompanied Homeless Youth as Determined by High School/Homeless Liaison?
57. Is Student an Unaccompanied Homeless Youth as Determined by HUD?
58. Is Student an Unaccompanied Homeless Youth as Determined by Director of Homeless Youth Center?
59. Parents’ Marital Status:
60. Parents’ Marital Status Date:
61. Parent 1 (Father’s/Mother’s/Stepparent’s) Social Security Number:
62. Parent 1 (Father’s/Mother’s/Stepparent’s) Last Name:
63. Parent 1 (Father’s/Mother’s/Stepparent’s) First Name Initial:
64. Parent 1 (Father’s/Mother’s/Stepparent’s) Date of Birth:
65. Parent 2 (Father’s/Mother’s/Stepparent’s) Social Security Number:
66. Parent 2 (Father’s/Mother’s/Stepparent’s) Last Name:
67. Parent 2 (Father’s/Mother’s/Stepparent’s) First Name Initial:
68. Parent 2 (Father’s/Mother’s/Stepparent’s) Date of Birth:
69. Parents’ E-mail Address:
70. Parents’ State of Legal Residence:
71. Were Parents Legal Residents Before January 1, 2012?
72. Parents’ Legal Residence Date:
73. Parents’ Number of Family Members in 2017-2018:
74. Parents’ Number in College in 2017-2018 (Parents Excluded):
75. Parents Received Medicaid or Supplemental Security Income?
76. Parents Received SNAP?
77. Parents Received Free/Reduced Price Lunch?
78. Parents Received TANF?
79. Parents Received WIC?
80. Parents Filed 2015 Income Tax Return?
81. Parents’ Type of 2015 Tax Form Used:
82. Parents’ 2015 Tax Return Filing Status:
83. Parents Eligible to File a 1040A or 1040EZ?
84. Is Parent a Dislocated Worker?
85. Parents’ 2015 Adjusted Gross Income:
86. Parents’ 2015 U.S. Income Tax Paid:
87. Parents’ 2015 Exemptions Claimed:
88. Parent 1 (Father’s/Mother’s/Stepparent’s) 2015 Income Earned from Work:
89. Parent 2 (Father’s/Mother’s/Stepparent’s) 2015 Income Earned from Work:
90. Parents’ Total of Cash, Savings, and Checking Accounts:
91. Parents’ Net Worth of Current Investments:
92. Parents’ Net Worth of Businesses/Investment Farms:
93a. Parents’ Education Credits:
93b. Parents’ Child Support Paid:
93c. Parents’ Taxable Earnings from Need-Based Employment Programs:
93d. Parents’ College Grant and Scholarship Aid Reported in AGI:
93e. Parents’ Taxable Combat Pay Reported in AGI:
93f. Parents’ Cooperative Education Earnings:
94a. Parents’ Payments to Tax-Deferred Pensions & Retirement Savings:
94b. Parents’ Deductible Payments to IRA/Keogh/Other:
94c. Parents’ Child Support Received:
94d. Parents’ Tax Exempt Interest Income:
94e. Parents’ Untaxed Portions of IRA Distributions:
94f. Parents’ Untaxed Portions of Pensions:
94g. Parents’ Housing, Food, & Living Allowances:
94h. Parents’ Veterans Noneducation Benefits:
94i. Parents’ Other Untaxed Income or Benefits:
95. Student’s Number of Family Members in 2017-2018:
96. Student’s Number in College in 2017-2018:
97. Student Received Medicaid or Supplemental Security Income?
98. Student Received SNAP?
99. Student Received Free/Reduced Price Lunch?
100. Student Received TANF?
101. Student Received WIC?
102. Is Student or Spouse a Dislocated Worker?
103a. First Federal School Code:
103b. First Housing Plans:
103c. Second Federal School Code:
103d. Second Housing Plans:
103e. Third Federal School Code:
103f. Third Housing Plans:
103g. Fourth Federal School Code:
103h. Fourth Housing Plans:
103i. Fifth Federal School Code:
103j. Fifth Housing Plans:
103k. Sixth Federal School Code:
103l. Sixth Housing Plans:
103m. Seventh Federal School Code:
103n. Seventh Housing Plans:
103o. Eighth Federal School Code:
103p. Eighth Housing Plans:
103q. Ninth Federal School Code:
103r. Ninth Housing Plans:
103s. Tenth Federal School Code:
103t. Tenth Housing Plans:
104. Date Completed:
105. Signed By:
106. Preparer’s Social Security Number:
107. Preparer’s Employer Identification Number (EIN):
108. Preparer’s Signature:

According to the Education Department, nearly 20 million students filled out this form in the 2015/2016 application cycle.

Update: The process described above was based on a demonstration this author saw while sharing a screen with a KrebsOnSecurity reader who had a family member apply for aid through FAFSA. But an Education Department spokesperson took strong exception to my experience, saying that while someone armed with an applicant’s SSN and date of birth would be able to view some of the less sensitive data elements related to an application that has already been submitted and processed, seeing the more sensitive data requires and additional authentication step.

The spokesperson said the data is displayed across several pages that require manual advancement, and that before the pages with financial data are shown the visitor is prompted to supply a username and password that all users are required to create when they start the application process. The agency said that without those credentials, the system should not display the rest of the data.

In cases where a student has saved but not completed an application, the spokesperson said, the applicant is prompted to create a “save key,” or temporary password that needs to be supplied before the financial data is displayed.
Continue reading →


3
May 16

Fraudsters Steal Tax, Salary Data From ADP

Identity thieves stole tax and salary data from payroll giant ADP by registering accounts in the names of employees at more than a dozen customer firms, KrebsOnSecurity has learned. ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters.

adpPatterson, N.J.-based ADP provides payroll, tax and benefits administration for more than 640,000 companies. Last week, U.S. Bancorp (U.S. Bank) — the nation’s fifth-largest commercial bank — warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal.

ID thieves are interested in W-2 data because it contains much of the information needed to fraudulently request a large tax refund from the U.S. Internal Revenue Service (IRS) in someone else’s name. A reader who works at U.S. Bank shared a letter received from Jennie Carlson, the financial institution’s executive vice president of human resources.

“Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP,” Carlson wrote. “During the course of that investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name.”

The letter continued:

“The incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2.”

U.S. Bank spokesman Dana Ripley said the letter was sent to a “small population” of the bank’s more than 64,000 employees. Asked to comment on the letter from U.S. Bank, ADP confirmed that the fraud visited upon U.S. Bank also hit “a very small subset” of the ADP’s total customers this year.

ADP emphasized that the fraudsters needed to have the victim’s personal data — including name, date of birth and Social Security number — to successfully create an account in someone’s name. ADP also stressed that this personal data did not come from its systems, and that thieves appeared to already possess that data when they created the unauthorized accounts at ADP’s portal.

ADP Chief Security Officer Roland Cloutier said customers can choose to create an account at the ADP portal for each employee, or they can defer that process to a later date (but employers do have to chose one or the other, Cloutier said).

According to ADP, new users need to be in possession of two other things (in addition to the victim’s personal data) at a minimum in order to create an account: A custom, company-specific link provided by ADP, and a static code assigned to the customer by ADP.

The problem, Cloutier said, seems to stem from ADP customers that both deferred that signup process for some or all of their employees and at the same time inadvertently published online the link and the company code. As a result, for users who never registered, criminals were able to register as them with fairly basic personal info, and access W-2 data on those individuals. Continue reading →


24
Mar 16

Phishing Victims Muddle Tax Fraud Fight

Many U.S. citizens are bound to experience delays in getting their tax returns processed this year, thanks largely to more stringent controls enacted by Uncle Sam and the states to block fraudulent tax refund requests filed by identity thieves. A steady drip of corporate data breaches involving phished employee W-2 information is adding to the backlog, as is an apparent mass adoption by ID thieves of professional tax services for processing large numbers of phony refund requests.
runnerdudesd

According to data released this week by anti-fraud company iovation, the Internal Revenue Service is taking up to three times longer to review 2015 tax returns compared to past years.

Julie Magee, commissioner of Alabama’s Department of Revenue,  said much of the delay this year at the state level is likely due to new “fraud filters” the states have put in place with Gentax, a return processing and auditing system used by about half of U.S. state revenue departments. If the states can’t outright deny a suspicious refund request, they’ll very often deny the requested electronic bank deposit and issue a paper check to the taxpayer’s known address instead.

“Many states decided they weren’t going to start paying refunds until March 1, and on our side we’ve been using all our internal fraud resources and tools to analyze the tax return before we even put it in the queue,” Magee said. “That’s delaying refunds nationwide for the IRS and the states, and it’s pretty much going to also mean a helluva lot of paper checks are going out this year.”

The added fraud filters that states are employing take advantage of data elements shared for the first time this tax season by the major online tax preparation firms such as TurboTax. The filters look for patterns known to be associated with phony refund requests, such how quickly the return was filed, or whether the same Internet address was seen completing multiple returns.

Magee said some of the states have been adding new fraud filters nearly every time they learn of another big breach involving large numbers of stolen or phished employee W2 data, a huge problem this tax season that is forcing dozens of companies large and small to disclose data breaches over the past few weeks.

“Every time we turn around getting a phone call about another breach,” Magee said. “Because of all the different breaches, the states and the IRS have been taking extreme measures to filter, filter, filter. And each time we’d get news of an additional breach, we’d start over, reprogram our fraud filters, and re-assess those returns that were not processed fully yet and those waiting to be processed.”

Magee said the Gentax software assigns each tax return a score for “wage confidence” and “identity confidence,” and that usually fraudulent tax refund requests have high wage confidence but low — if any — identity confidence. That’s because the fraudsters are filing refund requests on taxpayers for whom they already have stolen W2 information. The identity confidence in these cases is low often because the fraudsters are asking to have the money electronically deposited into an account that can’t be directly tied to the taxpayer, or they have incorrectly supplied some of the victim’s data.

“I have zero confidence that filings which match this pattern are legitimate,” Magee said. “It’s early still, but our new filtering system seems to be working. But it’s still a big unknown about the percentage of fraudulent refunds we’re not stopping.”

MORE W2 PHISHING VICTIMS

athookMost states didn’t start processing returns until after March 1, which is exactly when a flood of data breaches related to phished employee W2 data began washing up. As KrebsOnSecurity first warned in mid-February, thieves have been sending targeted phishing emails to human resources and finance employees at countless organizations, spoofing a message from the CEO requesting all employee W2’s in PDF format.

In Magee’s own state, W2 phishers hauled in tax data on an estimated 180 employees of ISCO Industries in Huntsville, and some 425 employees at the EWTN Global Catholic Network in Irondale, Ala. But those are just the ones that have been made public. Magee’s office only learned of those breaches after employees at the affected organizations reached out to journalists who then wrote about the compromises.

Over the past week, KrebsOnSecurity similarly has heard from employees at a broad range of organizations that appear to have fallen victim to W2 phishing scams, including some 28,000 employees of the market research giant Kantar Group; 17,000+ employees of Sprouts Farmer’s Market; call center software provider Aspect; computer backup software maker Acronis; Kids Dental Kare in Los Angeles; Century Fence, a fencing company in Wisconsin; Nation’s Lending Corporation, a mortgage lending firm in Independent, Ohio; QTI Group, a Wisconsin-based human resources consulting company; and the jousting-and-feasting entertainment company Medieval Times. Continue reading →


16
Mar 16

Thieves Phish Moneytree Employee Tax Data

Payday lending firm Moneytree is the latest company to alert current and former employees that their tax data — including Social Security numbers, salary and address information — was accidentally handed over directly to scam artists.

moneytreeSeattle-based Moneytree sent an email to employees on March 4 stating that “one of our team members fell victim to a phishing scam and revealed payroll information to an external source.”

“Moneytree was apparently targeted by a scam in which the scammer impersonated me and asked for an emailed copy of certain information about the Company’s payroll including Team Member names, home addresses, social security numbers, birthdates and W2 information,” Moneytree co-founder Dennis Bassford wrote to employees.

The message continued:

“Unfortunately, this request was not recognized as a scam, and the information about current and former Team Members who worked in the US at Moneytree in 2015 or were hired in early 2016 was disclosed. The good news is that our servers and security systems were not breached, and our millions of customer records were not affected. The bad news is that our Team Members’ information has been compromised.”

A woman who answered a Moneytree phone number listed in the email confirmed the veracity of the co-founder’s message to employees, but would not say how many employees were notified. According to the company’s profile on Yellowpages.com, Moneytree Inc. maintains a staff of more than 1,200 employees. The company offers check cashing, payday loan, money order, wire transfer, mortgage, lending, prepaid gift cards, and copying and fax services.

Moneytree joins a growing list of companies disclosing to employees that they were duped by W2 phishing scams, which this author first warned about in mid-February.  Earlier this month, data storage giant Seagate acknowledged that a similar phishing scam had compromised the tax and personal data on thousands of current and past employees. Continue reading →


#####EOF##### Who Makes the IoT Things Under Attack? — Krebs on Security

03
Oct 16

Who Makes the IoT Things Under Attack?

As KrebsOnSecurity observed over the weekend, the source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released. Here’s a look at which devices are being targeted by this malware.

The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords. Many readers have asked for more information about which devices and hardware makers were being targeted. As it happens, this is fairly easy to tell just from looking at the list of usernames and passwords included in the Mirai source code.

iotbadpass-pdf

In all, there are 68 username and password pairs in the botnet source code. However, many of those are generic and used by dozens of products, including routers, security cameras, printers and digital video recorder (DVRs).

I examined the less generic credential pairs and tried to match each with a IoT device maker and device type.  As we can see from the spreadsheet above (also available in CSV and PDFformats), most of the devices are network-based cameras, with a handful of Internet routers, DVRs and even printers sprinkled in.

I don’t claim to have special knowledge of each match, and welcome corrections if any of these are in error. Mainly, I turned to Google to determine which hardware makers used which credential pairs, but in some cases this wasn’t obvious or easy.

Which is part of the problem, says Will Dormann, senior vulnerability analyst at the CERT Coordination Center (CERT/CC).

“Even when users are interested in and looking for this information, the vendor doesn’t always make it easy,” Dormann said.

Dormann said instead of hard-coding credentials or setting default usernames and passwords that many users will never change, hardware makers should require users to pick a strong password when setting up the device.

Indeed, according to this post from video surveillance forum IPVM, several IoT device makers — including Hikvision, Samsung, and Panasonic — have begun to require unique passwords by default, with most forcing a mix of upper and lowercase letters, numbers, and special characters.

“As long as the password can’t be reversed — for example, an algorithm based off of a discoverable tidbit of information — that would be a reasonable level of security.” Dormann said.

Some readers have asked how these various IoT devices could be exposed if users have configured them to operate behind wired or wireless routers. After all, these readers note, most consumer routers assign each device inside the user’s home network so-called Network Address Translation (NAT) addresses that cannot be directly reached from the Internet.

But as several readers already commented in my previous story on the Mirai source code leak, many IoT devices will use a technology called Universal Plug and Play (UPnP) that will automatically open specific virtual portholes or “ports,” essentially poking a hole in the router’s shield for that device that allows it to be communicated with from the wider Internet. Anyone looking for an easy way to tell whether any of network ports may be open and listening for incoming external connections could do worse than to run Steve Gibson‘s “Shields Up” UPnP exposure test.

HELP! I NEVER CHANGED THE DEFAULT PASSWORD!

Regardless of whether your device is listed above, if you own a wired or wireless router, IP camera or other device that has a Web interface and you haven’t yet changed the factory default credentials, your system may already be part of an IoT botnet. Unfortunately, there is no simple way to tell one way or the other whether it has been compromised.

However, the solution to eliminating and preventing infections from this malware isn’t super difficult. Mirai is loaded into memory, which means it gets wiped once the infected device is disconnected from its power source.

But as I noted in Saturday’s story, there is so much constant scanning going on for vulnerable systems that IoT devices with default credentials can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot.

My advice for those running devices with the default credentials? First off, make sure you know how to access the device’s administration panel. If you’re unsure how to reach the administration panel, a quick search online for the make and model of your device should reveal an address and default credential pair that can be typed or pasted into a Web browser.

If possible, reset the device to the factory-default settings. This should ensure that if any malware has been uploaded to the device that it will be wiped permanently. Most devices have a small, recessed button that needs to be pressed and held down for a several seconds while powered on to reset the thing back to the factory default settings.

When the device comes back online, quickly fire up a Web browser, navigate to the administration panel, enter the default credentials, and then change the default password to something stronger and more memorable. I hope it goes without saying that any passwords remotely resembling the default passwords noted in the image above are horrible passwords. Here’s some advice on picking better ones.

Unfortunately, many of these devices also require periodic software or “firmware” updates to fix previously unknown security vulnerabilities that the vendor discovers or that are reported to the hardware maker post-production.  However, relatively few hardware makers do a good job of making this process simple and easy for users, let alone alerting customers to the availability of firmware updates.

“When it comes to software updates, automatic updates are good,” Dormann said. “Simple updates that notify the user and require intervention are okay. Updates that require the user to dig around to find and install manually are next to worthless.  Devices that don’t have updates at all are completely worthless. And that can be applied to traditional computing as well.  It’s just that with IoT, you likely have even-less-technical users at the helm.”

Only after fixing any problems related to default credentials should readers consider checking for firmware updates. Some hardware makers include the ability to check for updates through a Web-based administration panel (like the one used to change the device’s default password), while others may only allow firmware updates manually via downloads from the manufacturer’s site.

Firmware updates can be tricky to install, because if you fail follow the manufacturer’s instructions to the letter you may end up with little more than an oversized paperweight. So if you decide to go ahead with any firmware updates, please do so carefully and deliberately.

BUT WAIT, THERE’S MORE

Several readers have pointed out that while advising IoT users to change the password via the device’s Web interface is a nice security precaution, it may or may not address the fundamental threat. That’s because Mirai spreads via communications services called “telnet” and “SSH,” which are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” <IP address> to reach a username and password prompt at the target host).

The trouble is, even if one changes the password on the device’s Web interface, the same default credentials may still allow remote users to log in to the device using telnet and/or SSH.

Brian Karas, a business analyst with IPVM — a subscription-based news, testing and training site for the video surveillance industry — said in his experience often times IP camera users can change whatever settings they want in the device’s Web interface, but that’s no guarantee the changes will affect how the device can be accessed via Telnet or SSH.

“The problem is there’s no hard and fast rule,” Karas said. “What often happens is Telnet and SSH are an operating system-level login, and the [Web interface] tends to be more of an application level login. Sometimes changing a password on one changes the password on the other, but more often the Web [interface] is completely different, and changing the password there may not change the underlying password” needed to access the device remotely via SSH and Telnet, he said.

Case in point: In February 2016  I published This is Why People Fear the Internet of Things, which examined a whole slew of IP cameras sold by Chinese Web camera giant Foscam that — by default — included a feature which would quietly phone home to a vast peer-to-peer (P2P) network run by the company. As I explained in that piece, while the Web interface for those P2P cameras included a setting allowing users to disable the P2P traffic, disabling that option didn’t actually do anything to stop the device from seeking out other Foscam P2P cameras online.

Interestingly, Karas said he’s been pressing Dahua — whose IoT devices are heavily represented in the above default password list — to tell him how many of their devices are vulnerable. Karas said Dahua told him that although the company’s newest models didn’t have this problem, the company was preparing to launch a trade-in program for customers with default-insecure devices.

“They didn’t give me a straight answer on this one, but that that tells me is they have a whole bunch of devices that may not be firmware updatable, which means they can’t make those devices more secure without swapping out the underlying hardware.”

Update, 8:30 p.m. ET: Added final section with the sobering caveat that all of this hassle in changing the default passwords and updating the firmware may not actually solve the problem for many (if not all) of the affected devices.

Tags: , , , , , ,

150 comments

  1. So what’s all the fuss about? Haven’t we always had things on our networks? In fact, until 20 or 25 years ago most of our networks were about connecting “things” — PCs, terminals, servers, hosts, routers, printers, etc. People were an afterthought, really.

    Regards
    Steve

  2. Feds: hire them, don’t prosecute them! Good talent is difficult to recruit, and Silicon Valley often gobbles up top tier talent for those who can make it out of mom’s house.

    • When we elect a known criminal to public office – who has deliberately compromised security to cover their own tracks while shaking down foreign governments and corporations – how can we punish anyone. Legally, it’s selective enforcement.

    • This isn’t something that requires a lot of talent, particularly because this uses simple, well-known holes in security. Indeed, no one familiar with default security on the internet is surprised by this attack.

      Whoever did this should be prepared to face legal repercussions.

      To the extent that we should consider cutting these people some slack, it shouldn’t be based on “talent” on their part, but because of irresponsibility of those of us who designed these systems in the first place.

  3. Somewhat of a long shot here but, is it possible to pull out the MAC addresses of the devices that are part of the “mirai” device list and see if they can be organized into a machine discernable list so that I can write an IPS signature for it. Meaning, are the Octets in the MACs of these devices in a sequential range that allows for me to create a signature on that “subnet”. If that works, then we can work with ISPs or others in the internet business to more easily identify aggregated traffic.

    • Similarly, I would like to see or develop a list of Mirai-susceptible OUIs so that I can disallow those on the network.

    • Anonymous Coward

      You do realize that once a packet gets routed, the MAC address changes, right? And…there are other ways of moving data around at Layer 2 other than the usual Ethernet.

  4. Link to Gibson’s test page is wrong; goes to a local Windows confit utility instead of his ShieldsUp scanner.

  5. ubnt/ubnt is the default password for Ubiquiti Aircam and UniFi Video Cameras. Given the prevalence of cameras on this list I guess that’s more likely the target than AirOS. Could be both, though.

    • I believe that’s the default login for Ubiquiti stuff period. I know my UniFi AP used that as the default, as does the UniFi controller on first install

  6. Did the cyberattack affect Linksys wireless routers or Dell laptop wireless modems? I help friends & family with computer problems & there’s been several “bricking” in the last 2 weeks.

    • Linksys wireless routers or Dell laptop wireless modems
      Maybe those are susceptible, if those have telnet logins that are independent of logins user edits/sets in the web interface.
      Check if linksys has firmware updates or dell has driver updates. Dell download pages have brief notes.

      bricking
      Maybe you should post details in a forum that gives help (perhaps other users in whichever forum)

  7. So we have been working on this for some time. We helped develop a hardening guides (here’e one http://www.axis.com/files/sales/AXIS_Hardening_Guide_1488265_en_1510.pdf ) that directly addresses many of these issues as well as a platform that provides technical automation to help installers of these systems. http://www.securitysystemsnews.com/blog/eidola-created-integrators-ensure-cybersecurity

    • Thanks for that link, Salvatore. I can’t help but notice, however, that the guide instructs users to disable lots of settings in the name of security. Seems to me, a better option would be to disable the potential security risks by default, and encourage people to turn them on only if they need those features.

      That seems to me to be the crux of the problem for most IoT devices: They are insecure by default, and require readers to step through a 23-page PDF on how to do that.

  8. What makes the IoT attack vector unique is that there’s no incentive for anyone to fix it. How much do *YOU* care that your fridge just broke the internet? Probably not that much, definitely not enough for you to change your fridge’s admin credentials, update firmware, etc.

    It’s a “problem of the commons” and, like all public goods problems, we need a public solution.

    There should be a global standards body for certifying the security standards of IoT hardware. Much in the same way Underwriters Laboratories certifies my light bulb socket won’t set my house on fire (and without that certification, hardware store can’t import that socket from China) gotta find a way to bring governments and manufacturers together worldwide to enforce security audits on consumer products…

    The FCC does this with radios, NHTSA does this with cars, FTC does this for most other merchandise categories… we need local and global bodies to take an active role in protecting the world from unsafely designed products.

    • There’s one solution but it’s gnarly and quite illegal. Have cameras /(etc) that have public exploitable vunls start perma DDOSing their manufacturers. You can bet your bottom dollar those manufacturers will be incentifvised to fix it when there very existence as internet citizens is at stake.

      With that said , the nuclear option isn’t exactly fair on the poor users. Perhaps the vigilante solution is to just remote patch the damn things

      (And I don’t recomendation any of those courses of action)

  9. If you’re looking to test your devices for default username and passwords, the following sites will help you out, the following websites are great starting points:

    https://cirt.net/passwords
    http://www.defaultpassword.com/

    Then check to see if your organization is listed on Google or Shodan. If you’re listed and default passwords works, time to reset your credentials for your device and prevent Internet crawlers to list your services.

  10. Michael Dickenson

    EV ZLX 2-way speakers have zero network connectivity.
    I know. I own them.
    I notice there’s no link in the evidence column so I’m confused how this device ends up on the list.
    There are numerous professional speakers that connect using Dante and AES50 over Ethernet but the EV ZLX series definitely does not.

    • Thanks, Michael. As I said in the story, these should not be taken as gospel. I will go back and look to see if I have the link to supporting evidence, but if you have found another candidate, I’d be happy to update the graphic.

      Bk

  11. More useful would be a list of devices which aren’t as vulnerable to Telnet & SSH attack. Anybody got one?

    • DJ, that’s ridiculous. A list of non-affected devices (whitelist) would be huge, it’s much easier to read and distribute a blacklist.

      • I know what he means though. This short list just happens to be the ones used in this attack on some of the low-hanging fruit. Next time it could easily be Telnet or SSH used and your really complex password will make no difference. I need to set up a DVR for CCTV cameras in an office and a requirement is they want to be able to see live footage on the web if the alarm goes off. Any advice on buying and configuring kit that isn’t leaving them wide open?

  12. As a former Xerox certified tech for a Western NY VAR, I can attest that is the practice for some techs to reset the password to one of the defaults if they can’t log into the printer. Sheer stupidity…

  13. Those Ubiquiti passwords are used on all of their devices that I’ve seen. That includes at least their p2p links and cameras. I’ve seen multiple nanostation and aircams using that same pair.

    Not that you’re incorrect, I’m just highlighting that it goes beyond their routers.

  14. Still trying to figure out what software was running on the infected devices. Was it windows 10 IoT, a linux or some aruidino software.

  15. Be nice if the makers of IoT devices setup a stranded such as.
    1) Post reset/boot of device the default User/PW is only good for say 1 hour
    2) After that hour it default User/PWwon’t work and can only be logged into with a user/pass that is not same as default.

    This would stop most botnets from crawling the net looking and logging into the devices with known/default user/PW’s successfully

  16. Even behind a NAT with UPnP off, a device can be infected by Mirai-like malware running on a PC, smartphone or any other capable host within the LAN.

    For example, a compromised laptop could infect WiFi cameras at a coffee shop it is briefly used in. (That is, if that coffee shop has a plain vanilla WiFi LAN.)

  17. My solution was simple. My cameras are configured to work only on my intranet, and no. PNP disabled everywhere. And just to be extra safe, through parental controls on my router, all cameras MACs are blocked from contacting internet. Then, when outside, I VPN into my network, and my camera viewer software on my phone/tablet/laptop works like I’m at home. Of, course, all passwords on cameras, router, software, VPN are super long and complicated. There is no perfect security, but I think, this is as safe as I am going to get.


#####EOF##### ddos-for-hire — Krebs on Security

Posts Tagged: ddos-for-hire


1
Feb 19

250 Webstresser Users to Face Legal Action

More than 250 customers of a popular and powerful online attack-for-hire service that was dismantled by authorities in 2018 are expected to face legal action for the damage they caused, according to Europol, the European Union’s law enforcement agency.

In April 2018, investigators in the U.S., U.K. and the Netherlands took down attack-for-hire service WebStresser[.]org and arrested its alleged administrators. Prior to the takedown, the service had more than 151,000 registered users and was responsible for launching some four million attacks over three years. Now, those same authorities are targeting people who paid the service to conduct attacks.

Webstresser.org (formerly Webstresser.co), as it appeared in 2017.

In the United Kingdom, police have seized more than 60 personal electronic devices from a number of Webstresser users, and some 250 customers of the service will soon face legal action, Europol said in a statement released this week.

“Size does not matter – all levels of users are under the radar of law enforcement, be it a gamer booting out the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain,” Europol officials warned.

The focus on Webstresser’s customers is the latest phase of “Operation Power Off,” which targeted one of the most active services for launching point-and-click distributed denial-of-service (DDoS) attacks. WebStresser was one of many so-called “booter” or “stresser” services — virtual hired muscle that even completely unskilled users can rent to knock nearly any website or Internet user offline.

Operation Power Off is part of a broader law enforcement effort to disrupt the burgeoning booter service industry and to weaken demand for such services. In December, authorities in the United States filed criminal charges against three men accused of running booter services, and orchestrated a coordinated takedown of 15 different booter sites.

This seizure notice appeared on the homepage of more than a dozen popular “booter” or “stresser” DDoS-for-hire Web sites in December 2018.

Continue reading →


2
Sep 18

Alleged ‘Satori’ IoT Botnet Operator Sought Media Spotlight, Got Indicted

A 20-year-old from Vancouver, Washington was indicted last week on federal hacking charges and for allegedly operating the “Satori” botnet, a malware strain unleashed last year that infected hundreds of thousands of wireless routers and other “Internet of Things” (IoT) devices. This outcome is hardly surprising given that the accused’s alleged alter ego has been relentless in seeking media attention for this global crime machine.

Schuchman, in an undated photo posted online and referenced in a “dox,” which alleged in Feb. 2018 that Schuchman was Nexus Zeta.

The Daily Beast‘s Kevin Poulsen broke the news last week that federal authorities in Alaska indicted Kenneth Currin Schuchman of Washington on two counts of violating the Computer Fraud and Abuse Act by using malware to damage computers between August and November 2017.

The 3-page indictment (PDF) is incredibly sparse, and includes few details about the meat of the charges against Schuchman. But according to Poulsen, the charges are related to Schuchman’s alleged authorship and use of the Satori botnet. Satori, also known as “Masuta,” is a variant of the Mirai botnet, a powerful IoT malware strain that first came online in July 2016.

“Despite the havoc he supposedly wreaked, the accused hacker doesn’t seem to have been terribly knowledgeable about hacking,” Poulsen notes.

Schuchman reportedly went by the handle “Nexus Zeta,” the nickname used by a fairly inexperienced and clumsy ne’er-do-well who has tried on multiple occasions to get KrebsOnSecurity to write about the Satori botnet. In January 2018, Nexus Zeta changed the login page for his botnet control panel that he used to remotely control his hacked routers to include a friendly backhanded reference to this author:

The login prompt for Nexus Zeta’s IoT botnet included the message “Masuta is powered and hosted on Brian Kreb’s [sic] 4head.” To be precise, it’s a 5head.

This wasn’t the first time Nexus Zeta said hello. In late November 2017, he chatted me up on on Twitter and Jabber instant message for several days. Most of the communications came from two accounts: “9gigs_ProxyPipe” on Twitter, and ogmemes123@jabber.ru (9gigs_ProxyPipe would later change its Twitter alias to Nexus Zeta, and Nexus Zeta himself admitted that 9gigs_ProxyPipe was his Twitter account.)

In each case, this person wanted to talk about a new IoT botnet that he was “researching” and that he thought deserved special attention for its size and potential disruptive impact should it be used in a massive Distributed Denial-of-Service (DDoS) attack aimed at knocking a Web site offline — something for which Satori would soon become known.

A Jabber instant message conversation with Nexus Zeta on Nov. 29, 2017.

Nexus Zeta’s Twitter nickname initially confused me because both 9gigs and ProxyPipe are names claimed by Robert Coelho, owner of ProxyPipe hosting (9gigs is a bit from one of Coelho’s Skype account names). Coelho’s sleuthing was quite instrumental in helping to unmask 21-year-old New Jersey resident Paras Jha as the author of the original Mirai IoT botnet (Jha later pleaded guilty to co-authoring and using Mirai and is due to be sentenced this month in Alaska and New Jersey). “Ogmemes” is from a nickname used by Jha and his Mirai botnet co-author.

On Nov. 28, 2017, 9gigs_ProxyPipe sent a message to the KrebsOnSecurity Twitter account:

“I have some information in regards to an incredibly dangerous IoT botnet you may find interesting,” the Twitter message read. “Let me know how you would prefer to communicate assuming you are interested.”

We connected on Jabber instant message. In our chats, Ogmemes123 said he couldn’t understand why nobody had noticed a botnet powered by a Mirai variant that had infected hundreds of thousands of IoT devices (he estimated the size of the botnet to be about 300,000-500,000 at the time). He also talked a lot about how close he was with Jha. Nexus Zeta’s Twitter account profile photo is a picture of Paras Jha. He also said he knew this new botnet was being used to attack ProxyPipe.

Less than 24 hours after that tweet from Nexus Zeta, I heard from ProxyPipe’s Coelho. They were under attack from a new Mirai variant. Continue reading →


18
Jan 17

Who is Anna-Senpai, the Mirai Worm Author?

On September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks. Roughly a week after that assault, the individual(s) who launched that attack — using the name “Anna-Senpai” — released the source code for Mirai, spawning dozens of copycat attack armies online.

After months of digging, KrebsOnSecurity is now confident to have uncovered Anna-Senpai’s real-life identity, and the identity of at least one co-conspirator who helped to write and modify the malware.

The Hackforums post that includes links to the Mirai source code.

Mirai co-author Anna-Senpai leaked the source code for Mirai on Sept. 30, 2016.

Before we go further, a few disclosures are probably in order. First, this is easily the longest story I’ve ever written on this blog. It’s lengthy because I wanted to walk readers through my process of discovery, which has taken months to unravel. The details help in understanding the financial motivations behind Mirai and the botnet wars that preceded it. Also, I realize there are a great many names to keep track of as you read this post, so I’ve included a glossary.

The story you’re reading now is the result of hundreds of hours of research.  At times, I was desperately seeking the missing link between seemingly unrelated people and events; sometimes I was inundated with huge amounts of information — much of it intentionally false or misleading — and left to search for kernels of truth hidden among the dross.  If you’ve ever wondered why it seems that so few Internet criminals are brought to justice, I can tell you that the sheer amount of persistence and investigative resources required to piece together who’s done what to whom (and why) in the online era is tremendous.

As noted in previous KrebsOnSecurity articles, botnets like Mirai are used to knock individuals, businesses, governmental agencies, and non-profits offline on a daily basis. These so-called “distributed denial-of-service (DDoS) attacks are digital sieges in which an attacker causes thousands of hacked systems to hit a target with so much junk traffic that it falls over and remains unreachable by legitimate visitors. While DDoS attacks typically target a single Web site or Internet host, they often result in widespread collateral Internet disruption.

A great deal of DDoS activity on the Internet originates from so-called ‘booter/stresser’ services, which are essentially DDoS-for-hire services which allow even unsophisticated users to launch high-impact attacks.  And as we will see, the incessant competition for profits in the blatantly illegal DDoS-for-hire industry can lead those involved down some very strange paths, indeed.

THE FIRST CLUES

The first clues to Anna-Senpai’s identity didn’t become clear until I understood that Mirai was just the latest incarnation of an IoT botnet family that has been in development and relatively broad use for nearly three years.

Earlier this summer, my site was hit with several huge attacks from a collection of hacked IoT systems compromised by a family of botnet code that served as a precursor to Mirai. The malware went by several names, including “Bashlite,” “Gafgyt,” “Qbot,” “Remaiten,” and “Torlus.”

All of these related IoT botnet varieties infect new systems in a fashion similar to other well-known Internet worms — propagating from one infected host to another. And like those earlier Internet worms, sometimes the Internet scanning these systems perform to identify other candidates for inclusion into the botnet is so aggressive that it constitutes an unintended DDoS on the very home routers, Web cameras and DVRs that the bot code is trying to subvert and recruit into the botnet. This kind of self-defeating behavior will be familiar to those who recall the original Morris Worm, NIMDA, CODE RED, Welchia, Blaster and SQL Slammer disruptions of yesteryear.

Infected IoT devices constantly scan the Web for other IoT things to compromise, wriggling into devices that are protected by little more than insecure factory-default settings and passwords. The infected devices are then forced to participate in DDoS attacks (ironically, many of the devices most commonly infected by Mirai and similar IoT worms are security cameras).

Mirai’s ancestors had so many names because each name corresponded to a variant that included new improvements over time. In 2014, a group of Internet hooligans operating under the banner “lelddos” very publicly used the code to launch large, sustained attacks that knocked many Web sites offline.

The most frequent target of the lelddos gang were Web servers used to host Minecraft, a wildly popular computer game sold by Microsoft that can be played from any device and on any Internet connection.

The object of Minecraft is to run around and build stuff, block by large pixelated block. That may sound simplistic and boring, but an impressive number of people positively adore this game – particularly pre-teen males. Microsoft has sold more than a 100 million copies of Minecraft, and at any given time there are over a million people playing it online. Players can build their own worlds, or visit a myriad other blocky realms by logging on to their favorite Minecraft server to play with friends.

Image: Minecraft.net

Image: Minecraft.net

A large, successful Minecraft server with more than a thousand players logging on each day can easily earn the server’s owners upwards of $50,000 per month, mainly from players renting space on the server to build their Minecraft worlds, and purchasing in-game items and special abilities.

Perhaps unsurprisingly, the top-earning Minecraft servers eventually attracted the attention of ne’er-do-wells and extortionists like the lelddos gang. Lelddos would launch a huge DDoS attack against a Minecraft server, knowing that the targeted Minecraft server owner was likely losing thousands of dollars for each day his gaming channel remained offline.

Adding urgency to the ordeal, many of the targeted server’s loyal customers would soon find other Minecraft servers to patronize if they could not get their Minecraft fix at the usual online spot.

Robert Coelho is vice president of ProxyPipe, Inc., a San Francisco company that specializes in protecting Minecraft servers from attacks.

“The Minecraft industry is so competitive,” Coelho said. “If you’re a player, and your favorite Minecraft server gets knocked offline, you can switch to another server. But for the server operators, it’s all about maximizing the number of players and running a large, powerful server. The more players you can hold on the server, the more money you make. But if you go down, you start to lose Minecraft players very fast — maybe for good.”

In June 2014, ProxyPipe was hit with a 300 gigabit per second DDoS attack launched by lelddos, which had a penchant for publicly taunting its victims on Twitter just as it began launching DDoS assaults at the taunted.

The hacker group "lelddos" tweeted at its victims before launching huge DDoS attacks against them.

The hacker group “lelddos” tweeted at its victims before launching huge DDoS attacks against them.

At the time, ProxyPipe was buying DDoS protection from Reston, Va. -based security giant Verisign. In a quarterly report published in 2014, Verisign called the attack the largest it had ever seen, although it didn’t name ProxyPipe in the report – referring to it only as a customer in the media and entertainment business.

Verisign said the 2014 attack was launched by a botnet of more than 100,000 servers running on SuperMicro IPMI boards. Days before the huge attack on ProxyPipe, a security researcher published information about a vulnerability in the SuperMicro devices that could allow them to be remotely hacked and commandeered for these sorts of attacks.

THE CENTRALITY OF PROTRAF

Coelho recalled that in mid-2015 his company’s Minecraft customers began coming under attack from a botnet made up of IoT devices infected with Qbot. He said the attacks were directly preceded by a threat made by a then-17-year-old Christopher “CJ” Sculti, Jr., the owner and sole employee of a competing DDoS protection company called Datawagon.

Datawagon also courted Minecraft servers as customers, and its servers were hosted on Internet space claimed by yet another Minecraft-focused DDoS protection provider — ProTraf Solutions.

CJ Sculti, Jr.

Christopher “CJ” Sculti, Jr.

According to Coelho, ProTraf was trying to woo many of his biggest Minecraft server customers away from ProxyPipe. Coelho said in mid-2015, Sculti reached out to him on Skype and said he was getting ready to disable Coelho’s Skype account. At the time, an exploit for a software weakness in Skype was being traded online, and this exploit could be used to remotely and instantaneously disable any Skype account.

Sure enough, Coelho recalled, his Skype account and two others used by co-workers were shut off just minutes after that threat, effectively severing a main artery of support for ProxyPipe’s customers – many of whom were accustomed to communicating with ProxyPipe via Skype.

“CJ messaged me about five minutes before the DDoS started, saying he was going to disable my skype,” Coelho said. “The scary thing about when this happens is you don’t know if your Skype account has been hacked and under control of someone else or if it just got disabled.”

Once ProxyPipe’s Skype accounts were disabled, the company’s servers were hit with a massive, constantly changing DDoS attack that disrupted ProxyPipe’s service to its Minecraft server customers. Coelho said within a few days of the attack, many of ProxyPipe’s most lucrative Minecraft servers had moved over to servers protected by ProTraf Solutions.

“In 2015, the ProTraf guys hit us offline tons, so a lot of our customers moved over to them,” Coelho said. “We told our customers that we knew [ProTraf] were the ones doing it, but some of the customers didn’t care and moved over to ProTraf anyway because they were losing money from being down.”

I found Coelho’s story fascinating because it eerily echoed the events leading up to my Sept. 2016 record 620 Gbps attack. I, too, was contacted via Skype by Sculti — on two occasions. The first was on July 7, 2015, when Sculti reached out apropos of nothing to brag about scanning the Internet for IoT devices running default usernames and passwords, saying he had uploaded some kind of program to more than a quarter-million systems that his scans found.

Here’s a snippet of that conversation:

July 7, 2015:

21:37 CJ: http://krebsonsecurity.com/2015/06/crooks-use-hacked-routers-to-aid-cyberheists/
21:37 CJ: vulnerable routers are a HUGE issue
21:37 CJ: a few months ago
21:37 CJ: I scanned the internet with a few sets of defualt logins
21:37 CJ: for telnet
21:37 CJ: and I was able to upload and execute a binary
21:38 CJ: on 250k devices
21:38 CJ: most of which were routers
21:38 Brian Krebs: o_0

The second time I heard from Sculti on Skype was Sept. 20, 2016 — the day of my 620 Gbps attack. Sculti was angry over a story I’d just published that mentioned his name, and he began rather saltily maligning the reputation of a source and friend who had helped me with that story.

Indignant on behalf of my source and annoyed at Sculti’s rant, I simply blocked his Skype account from communicating with mine and went on with my day. Just minutes after that conversation, however, my Skype account was flooded with thousands of contact requests from compromised or junk Skype accounts, making it virtually impossible to use the software for making phone calls or instant messaging.

Six hours after that Sept. 20 conversation with Sculti, the huge 620 Gbps DDoS attack commenced on this site. Continue reading →


8
Sep 16

Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years

vDOS  a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets.

The vDOS database, obtained by KrebsOnSecurity.com at the end of July 2016, points to two young men in Israel as the principal owners and masterminds of the attack service, with support services coming from several young hackers in the United States.

The vDos home page.

The vDos home page.

To say that vDOS has been responsible for a majority of the DDoS attacks clogging up the Internet over the past few years would be an understatement. The various subscription packages to the service are sold based in part on how many seconds the denial-of-service attack will last. And in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years worth of attack traffic.

Let the enormity of that number sink in for a moment: That’s nearly nine of what I call “DDoS years” crammed into just four months. That kind of time compression is possible because vDOS handles hundreds — if not thousands — of concurrent attacks on any given day.

Although I can’t prove it yet, it seems likely that vDOS is responsible for several decades worth of DDoS years. That’s because the data leaked in the hack of vDOS suggest that the proprietors erased all digital records of attacks that customers launched between Sept. 2012 (when the service first came online) and the end of March 2016.

HOW vDOS GOT HACKED

The hack of vDOS came about after a source was investigating a vulnerability he discovered on a similar attack-for-hire service called PoodleStresser. The vulnerability allowed my source to download the configuration data for PoodleStresser’s attack servers, which pointed back to api.vdos-s[dot]com. PoodleStresser, as well as a large number of other booter services, appears to rely exclusively on firepower generated by vDOS.

From there, the source was able to exploit a more serious security hole in vDOS that allowed him to dump all of the service’s databases and configuration files, and to discover the true Internet address of four rented servers in Bulgaria (at Verdina.net) that are apparently being used to launch the attacks sold by vDOS. The DDoS-for-hire service is hidden behind DDoS protection firm Cloudflare, but its actual Internet address is 82.118.233.144.

vDOS had a reputation on cybercrime forums for prompt and helpful customer service, and the leaked vDOS databases offer a fascinating glimpse into the logistical challenges associated with running a criminal attack service online that supports tens of thousands of paying customers — a significant portion of whom are all trying to use the service simultaneously.

Multiple vDOS tech support tickets were filed by customers who complained that they were unable to order attacks on Web sites in Israel. Responses from the tech support staff show that the proprietors of vDOS are indeed living in Israel and in fact set the service up so that it was unable to attack any Web sites in that country — presumably so as to not attract unwanted attention to their service from Israeli authorities. Here are a few of those responses:

(‘4130′,’Hello `d0rk`,\r\nAll Israeli IP ranges have been blacklisted due to security reasons.\r\n\r\nBest regards,\r\nP1st.’,’03-01-2015 08:39),

(‘15462′,’Hello `g4ng`,\r\nMh, neither. I\’m actually from Israel, and decided to blacklist all of them. It\’s my home country, and don\’t want something to happen to them :)\r\n\r\nBest regards,\r\nDrop.’,’11-03-2015 15:35),

(‘15462′,’Hello `roibm123`,\r\nBecause I have an Israeli IP that is dynamic.. can\’t risk getting hit/updating the blacklist 24/7.\r\n\r\nBest regards,\r\nLandon.’,’06-04-2015 23:04),

(‘4202′,’Hello `zavi156`,\r\nThose IPs are in israel, and we have all of Israel on our blacklist. Sorry for any inconvinience.\r\n\r\nBest regards,\r\nJeremy.’,’20-05-2015 10:14),

(‘4202′,’Hello `zavi156`,\r\nBecause the owner is in Israel, and he doesn\’t want his entire region being hit offline.\r\n\r\nBest regards,\r\nJeremy.’,’20-05-2015 11:12),

(‘9057′,’There is a option to buy with Paypal? I will pay more than $2.5 worth.\r\nThis is not the first time I am buying booter from you.\r\nIf no, Could you please ask AplleJack? I know him from Israel.\r\nThanks.’,’21-05-2015 12:51),

(‘4120′,’Hello `takedown`,\r\nEvery single IP that\’s hosted in israel is blacklisted for safety reason. \r\n\r\nBest regards,\r\nAppleJ4ck.’,’02-09-2015 08:57),

WHO RUNS vDOS?

As we can see from the above responses from vDOS’s tech support, the owners and operators of vDOS are young Israeli hackers who go by the names P1st a.k.a. P1st0, and AppleJ4ck. The two men market their service mainly on the site hackforums[dot]net, selling monthly subscriptions using multiple pricing tiers ranging from $20 to $200 per month. AppleJ4ck hides behind the same nickname on Hackforums, while P1st goes by the alias “M30w” on the forum.

Some of P1st/M30W's posts on Hackforums regarding his service vDOS.

Some of P1st/M30W’s posts on Hackforums regarding his service vDOS.

vDOS appears to be the longest-running booter service advertised on Hackforums, and it is by far and away the most profitable such business. Records leaked from vDOS indicate that since July 2014, tens of thousands of paying customers spent a total of more than $618,000 at the service using Bitcoin and PayPal.

Incredibly, for brief periods the site even accepted credit cards in exchange for online attacks, although it’s unclear how much the site might have made in credit card payments because the information is not in the leaked databases.

The Web server hosting vDOS also houses several other sites, including huri[dot]biz, ustress[dot]io, and vstress[dot]net. Virtually all of the administrators at vDOS have an email account that ends in v-email[dot]org, a domain that also is registered to an Itay Huri with a phone number that traces back to Israel.

The proprietors of vDOS set their service up so that anytime a customer asked for technical assistance the site would blast a text message to six different mobile numbers tied to administrators of the service, using an SMS service called Nexmo.com. Two of those mobile numbers go to phones in Israel. One of them is the same number listed for Itay Huri in the Web site registration records for v-email[dot]org; the other belongs to an Israeli citizen named Yarden Bidani. Neither individual responded to requests for comment.

The leaked database and files indicate that vDOS uses Mailgun for email management, and the secret keys needed to manage that Mailgun service were among the files stolen by my source. The data shows that vDOS support emails go to itay@huri[dot]biz, itayhuri8@gmail.com and raziel.b7@gmail.com.

LAUNDERING THE PROCEEDS FROM DDOS ATTACKS

The $618,000 in earnings documented in the vDOS leaked logs is almost certainly a conservative income figure. That’s because the vDOS service actually dates back to Sept 2012, yet the payment records are not available for purchases prior to 2014. As a result, it’s likely that this service has made its proprietors more than $1 million.

vDOS does not currently accept PayPal payments. But for several years until recently it did, and records show the proprietors of the attack service worked assiduously to launder payments for the service through a round-robin chain of PayPal accounts.

They did this because at the time PayPal was working with a team of academic researchers to identify, seize and shutter PayPal accounts that were found to be accepting funds on behalf of booter services like vDOS. Anyone interested in reading more on their success in making life harder for these booter service owners should check out my August 2015 story, Stress-Testing the Booter Services, Financially.

People running dodgy online services that violate PayPal’s terms of service generally turn to several methods to mask the true location of their PayPal Instant Payment Notification systems. Here is an interesting analysis of how popular booter services are doing so using shell corporations, link shortening services and other tricks.

Turns out, AppleJ4ck and p1st routinely recruited other forum members on Hackforums to help them launder significant sums of PayPal payments for vDOS each week.

“The paypals that the money are sent from are not verified,” AppleJ4ck says in one recruitment thread. “Most of the payments will be 200$-300$ each and I’ll do around 2-3 payments per day.”

vDos co-owner AppleJ4ck recruiting Hackforums members to help launder PayPal payments for his booter service.

vDos co-owner AppleJ4ck recruiting Hackforums members to help launder PayPal payments for his booter service.

It is apparent from the leaked vDOS logs that in July 2016 the service’s owners implemented an additional security measure for Bitcoin payments, which they accept through Coinbase. The data shows that they now use an intermediary server (45.55.55.193) to handle Coinbase traffic. When a Bitcoin payment is received, Coinbase notifies this intermediary server, not the actual vDOS servers in Bulgaria.

A server situated in the middle and hosted at a U.S.-based address from Digital Ocean then updates the database in Bulgaria, perhaps because the vDOS proprietors believed payments from the USA would attract less interest from Coinbase than huge sums traversing through Bulgaria each day. Continue reading →


17
Aug 15

Stress-Testing the Booter Services, Financially

The past few years have witnessed a rapid proliferation of cheap, Web-based services that troublemakers can hire to knock virtually any person or site offline for hours on end. Such services succeed partly because they’ve enabled users to pay for attacks with PayPal. But a collaborative effort by PayPal and security researchers has made it far more difficult for these services to transact with their would-be customers.

Image:

Image:

By offering a low-cost, shared distributed denial-of-service (DDoS) attack infrastructure, these so-called “booter” and “stresser” services have attracted thousands of malicious customers and are responsible for hundreds of thousands of attacks per year. Indeed, KrebsOnSecurity has repeatedly been targeted in fairly high-volume attacks from booter services — most notably a service run by the Lizard Squad band of miscreants who took responsibility for sidelining the Microsoft xBox and Sony Playstation on Christmas Day 2014.

For more than two months in the summer 2014, researchers with George Mason University, UC Berkeley’s International Computer Science Institute, and the University of Maryland began following the money, posing as buyers of nearly two dozen booter services in a bid to discover the PayPal accounts that booter services were using to accept payments. In response to their investigations, PayPal began seizing booter service PayPal accounts and balances, effectively launching their own preemptive denial-of-service attacks against the payment infrastructure for these services.

PayPal will initially limit reported merchant accounts that are found to violate its terms of service (turns out, accepting payments for abusive services is a no-no). Once an account is limited, the merchant cannot withdraw or spend any of the funds in their account. This results in the loss of funds in these accounts at the time of freezing, and potentially additional losses due to opportunity costs the proprietors incur while establishing a new account. In addition, PayPal performed their own investigation to identify additional booter domains and limited accounts linked to these domains as well.

The efforts of the research team apparently brought some big-time disruption for nearly two-dozen of the top booter services. The researchers said that within a day or two following their interventions, they saw the percentage of active booters quickly dropping from 70 to 80 percent to around 50 percent, and continuing to decrease to a low of around 10 percent that were still active.

ppintervention

While some of the booter services went out of business shortly thereafter, more than a half-dozen shifted to accepting payments via Bitcoin (although the researchers found that this dramatically cut down on the services’ overall number of active customers). Once the target intervention began, they found the average lifespan of an account dropped to around 3.5 days, with many booters’ PayPal accounts only averaging around two days before they were no longer used again.

The researchers also corroborated the outages by monitoring hacker forums where the services were marketed, chronicling complaints from angry customers and booter service operators who were inconvenienced by the disruption (see screen shot galley below).

A booter service proprietor advertising his wares on the forum Hackforums complains about Paypal repeatedly limiting his account.

A booter service proprietor advertising his wares on the forum Hackforums complains about Paypal repeatedly limiting his account.

Another booter seller on Hackforums whinges about PayPal limiting the account he uses to accept attack payments from customers.

Another booter seller on Hackforums whinges about PayPal limiting the account he uses to accept attack payments from customers.

"It's a shame PayPal had to shut us down several times causing us to take money out of our own pocket to purchase servers, hosting and more," says this now-defunct booter service to its former customers.

“It’s a shame PayPal had to shut us down several times causing us to take money out of our own pocket to purchase servers, hosting and more,” says this now-defunct booter service to its former customers.

Deadlyboot went dead after the PayPal interventions. So sad.

Deadlyboot went dead after the PayPal interventions. So sad.

Daily attacks from Infected Stresser dropped off precipitously following the researchers' work.

Daily attacks from Infected Stresser dropped off precipitously following the researchers’ work.

As I’ve noted in past stories on booter service proprietors I’ve tracked down here in the United States, many of these service owners and operators are kids operating within easy reach of U.S. law enforcement. Based on the aggregated geo-location information provided by PayPal, the researchers found that over 44% of the customer and merchant PayPal accounts associated with booters are potentially owned by someone in the United States. Continue reading →


29
Jan 15

The Internet of Dangerous Things

Distributed denial-of-service (DDoS) attacks designed to silence end users and sideline Web sites grew with alarming frequency and size last year, according to new data released this week. Those findings dovetail quite closely with the attack patterns seen against this Web site over the past year.

Arbor Networks, a major provider of services to help block DDoS assaults, surveyed nearly 300 companies and found that 38% of respondents saw more than 21 DDoS attacks per month. That’s up from a quarter of all respondents reporting 21 or more DDoS attacks the year prior.

KrebsOnSecurity is squarely within that 38 percent camp: In the month of December 2014 alone, Prolexic (the Akamai-owned company that protects my site from DDoS attacks) logged 26 distinct attacks on my site. That’s almost one attack per day, but since many of the attacks spanned multiple days, the site was virtually under constant assault all month.

Source: Arbor Networks

Source: Arbor Networks

Arbor also found that attackers continue to use reflection/amplification techniques to create gigantic attacks. The largest reported attack was 400 Gbps, with other respondents reporting attacks of 300 Gbps, 200 Gbps and 170 Gbps. Another six respondents reported events that exceeded the 100 Gbps threshold. In February 2014, I wrote about the largest attack to hit this site to date — which clocked in at just shy of 200 Gbps.

According to Arbor,  the top three motivations behind attacks remain nihilism vandalism, online gaming and ideological hacktivism— all of which the company said have been in the top three for the past few years.

“Gaming has gained in percentage, which is no surprise given the number of high-profile, gaming-related attack campaigns this year,” the report concludes.

DDoS Attacks on KrebsOnSecurity.com, logged by Akamai/Prolexic between 10/17/14 - 1/26/15.

DDoS Attacks on KrebsOnSecurity.com, logged by Akamai/Prolexic between 10/17/14 – 1/26/15.

Longtime readers of this blog will probably recall that I’ve written plenty of stories in the past year about the dramatic increase in DDoS-for-hire services (a.k.a. “booters” or “stressers”). In fact, on Monday, I published Spreading the Disease and Selling the Cure, which profiled two young men who were running both multiple DDoS-for-hire services and selling services to help defend against such attacks. Continue reading →


#####EOF##### Krebs’s 3 Basic Rules for Online Safety — Krebs on Security

20
May 11

Krebs’s 3 Basic Rules for Online Safety

Yes, I realize that’s an ambitious title for a blog post about staying secure online, but there are a handful of basic security principles that — if followed religiously — can blunt the majority of malicious threats out there today.

Krebs’s Number One Rule for Staying Safe Online: If you didn’t go looking for it, don’t install it!A great many online threats rely on tricking the user into taking some action — whether it be clicking an email link or attachment, or installing a custom browser plugin or application. Typically, these attacks take the form of scareware pop-ups that try to frighten people into installing a security scanner; other popular scams direct you to a video but then complain that you need to install a special “codec,” video player or app to view the content. Only install software or browser add-ons if you went looking for them in the first place. And before you install anything, it’s a good idea to grab the software directly from the source. Sites like Majorgeeks.com and Download.com claim to screen programs that they offer for download, but just as you wouldn’t buy a product online without doing some basic research about its quality and performance, take a few minutes to search for and read comments and reviews left by other users of that software to make sure you’re not signing up for more than you bargained. Also, avoid directly responding to email alerts that (appear to) come from Facebook, LinkedIn, Twitter, your bank or some other site that holds your personal information. Instead, visit these sites using a Web browser bookmark.

Krebs’s Rule #2 for Staying Safe Online: If you installed it, update it.Yes, keeping the operating system current with the latest patches is important, but maintaining a secure computer also requires care and feeding for the applications that run on top of the operating system. Bad guys are constantly attacking flaws in widely-installed software products, such as Java, Adobe PDF Reader, and Flash. The vendors that make these products ship updates to fix security bugs several times a year, so it’s important to update to the latest versions of these products as soon as possible. Some of these products may alert users to new updates, but these notices often come days or weeks after patches are released.

Krebs’s Rule #3 for Staying Safe Online:If you no longer need it, remove it.” Clutter is the nemesis of a speedy computer. Unfortunately, many computer makers ship machines with gobs of bloatware that most customers never use even once. On top of the direct-from-manufacturer junk software, the average user tends to install dozens of programs and add-ons over the course of months and years. In the aggregate, these items can take their toll on the performance of your computer. Many programs add themselves to the list of items that start up whenever the computer is rebooted, which can make restarting the computer a bit like watching paint dry. And remember, the more programs you have installed, the more time you have to spend keeping them up-to-date with the latest security patches.

Tags: , , , ,

56 comments

  1. Bravo Bravo!! 🙂 Good Work Krebs

  2. I like the three rules–but I would have thought one preceded these: create and use a “limited” or “standard” user account for internet browsing. Has the UAC in Windows 7 rendered this one obsolete?

    • I debated whether to include a bit on the standard user/non-admin advice, and it certainly is solid advice. I wanted to keep it relatively simple, and have each of these three follow from one another.

      Per your question, I think that at least as it relates to UAC, if one follows Rule #1, then the UAC should be allowed to do its job (i.e., “Are you sure you want to install this program?”, “Well, no, I didn’t ask to install any program!”)

      • I agree with keeping it very simple, Brian. Most of the general users I talk to about staying safe would not have the slightest idea what I meant by using limited accounts but those rules you listed they can understand. And the new malware MacDefender on the MAC can be avoided with your rule #1.

    • I second the comment by Dennis. I’ve always run as limited user. It took a little tweaking for some programs on Windows XP but with Windows 7 there is no longer any excuse not to run as a limited user.

      • Agreed that there is no excuse to avoiding admin accounts except for the fact that Windows *still* creates an admin account *by default* upon installation. There is also no excuse that this remains true this far down the road. This is not the case with competing desktop operating systems like Mac and Ubuntu.

        • I’m not sure I get your point, Bob. When you install Windows, you get an Administrator account created automatically, just as on Linux and Mac OS X a “root” account is created automatically. The only real difference is the name. The default account created when you install Windows, OS X, or Linux has access to administrator permissions. On Windows, that access is controlled through UAC. On OS X, it’s through the administrator prompt. If I’m remembering right, it’s the same thing on Linux as OS X (or similar in appearance).

          Maybe I am missing some subtlety of your point, but there needs to be an administrator account (regardless of the name you call it) on a system. You don’t have to (and shouldn’t) use it for routine daily tasks, but you kind of need it if you want to install software, change system settings, etc.

          Every desktop OS I’ve ever used creates some kind of administrator account by default, and with good reason.

          • My point is that nothing tells the average user activating / installing Windows to create a separate non-admin account for everyday usage. On both OS X and Ubuntu, the average user defaults to using a non-admin account. (The ‘root’ account on Ubuntu is disabled by default. You can’t login with root. AFAIK, Mac OSX is similar) I suspect that the vast majority of Windows 7 users are running in the default admin account that is created upon installation activation.

            Do you have any reason to believe that the majority of Windows users are NOT running under admin accounts?

            • The “administrator” account is disabled by default on Windows 7. When you install the O/S, it asks you to make a username/account (NOT “administrator”).

              • > CW
                > When you install the O/S, it asks you to make a >username/account (NOT “administrator”).

                That default Windows 7 username/account you create is of type ‘Administrator’ not ‘Standard User’.

                So I repeat, by default Windows 7 does NOT put you into the recommended account type. And since nothing, by default, tells you to create a ‘Standard User’ account, most of the world is running under an Administrator (type) account.

  3. Great and Exactly: “If you didn’t go looking for it, don’t install it!”

    I know people who have installed many useless things and when I ask “Do you need all this stuff?” they answer me “I dont know, on FB someone was saying me to download it and I did it”.

    This is the “Social” trick used to allow many hackers to create a network of Zombie computers and sadly people should really pay attention when downloading something asking, as you said, “do I need it?”.

    But think it: Is it free? “Ah! It’s free, I dont know if I will ever use a VPN client but hey, it’s free maybe one day I will use it” – A friend of mine, personally said me “No I dont need all this applications but when my friends come and see how many applications I have they say Wow!”

    A “all-you-can-eat” buffet, hard to say no… right? But guess what… who is going to maintain updated tons of applications?

    Your post give the answer. I am going to re-tweet this.

    • My problem with users is getting them to understand that they have to be looking for it first!

      Plenty of them understand not installing things without wanting to install them. But it seems like when they get the prompt to update their codec, that qualifies as a “New thing, now I’m looking for it.”

      I had one tell me that he was trying to keep his system up to date when he got those prompts. I couldn’t get him to understand the difference between downloading program updates from a manufacturer and just downloading “codecs” from any other source.

  4. You forgot one thing, the majority of folk out there panic and click like mad if a pop up occurs, “Winfix” is a prime example! Facebook is the main culprit, all those horrible apps kicking around, but yes your 1,2,3 basic rules are great advice for the novices!

  5. Well done sir. I think something like this should be required reading before you’re allowed to operate a machine!

  6. On Slashdot.org today, they had a question about security on the smartphone. The answers were not satisfying. I would like to hear your words of wisdom in this arena. What are your rules of security for smartphones?

    • I’ll take a pass at providing some input in this area:

      First thing, all three rules in the article above still apply. If you use your phone with the same caution you *should* be using your computer, your off to a pretty good start.

      The other tip I might give at this point is to choose your phone to minimize your exposure. Right now Android devices are looking to be the most susceptible to widespread abuse. They have a large install base, and a very open process for applications. In my opinion only, these factors are combining to make it the most attractive target for attackers.

      At this point I would also look for a phone that is easy to update, and actually receives regular updates. iPhones aren’t a bad choice at the moment, in part because of their vetting process (walled garden) for apps. Take advantage of the encryption features available and ensure you have a password (not pin number!) on the device is possible.

      Otherwise good luck, smartphone security still looks like a mess to me overall.

    • Hi Mike. That’s a great idea for another post. For now, I’d say that these three rules apply to keep you out of most trouble, regardless of which OS or browser you’re running.

      • I assume you have already written, and can link us, to an earlier post about security needed BEFORE you connect to the Internet.

        If you don’t have security against viruses, hackers, power surges, etc. then you won’t have a working PC for very long.

        Allowing one’s computer to be unprotected, while connected to the internet, can be compared to owning a handgun and putting it out on your doorstep every night, in case a passing robber might be in need of one.

  7. Another one I tell people all the time is to keep your computer use professional. Take your computer seriously!

    If you’re going to mess around on the internet, use any file sharing programs, use pirated software, look at adult materials, look at funny internet videos and websites, you should do that on a separate computer that you don’t mind reinstalling, or bringing into the shop to get serviced every month or two. If you can’t afford that, or can’t afford a second computer, then don’t take the risks.

    There is true, substantial costs to goofing off on your computer. Be ready to pay them. If you mix business and pleasure on the same computer, you run a very high risk of making your business a part of that cost.

    • I guess I should clarify a bit – by “business” I mean important things related to your real life activities, but excluding most socializing. This usually would mean email, managing any website you own, work-related activities, homework, school-related activities, communicating with a small circle of professional or educational associates, etc. Basically anything that would impact your life if they got hijacked, destroyed, or lost.

      Although some people form the damndest associations with their facebook gardens…. sigh.

  8. I think you nailed this. If “four” where as magic a number as “three”, then I’d add 1 more thing.

    4. Automatic, reverse-incremental, validated, daily backups.

    If you have 30 days of system backups, perhaps a user could recall *about when* all the funny things started happening and restore from a backup before that time. Obviously, the flaw with this method is the user needs to recognize “something funny” before the older backups roll off storage.

    Some friends have recently been hacked by clicking attachments in emails from friends’ hacked webmail accounts. They knew it immediately, but it was already too late. Most of them have gotten backup religion now, but it sure would have been helpful if they’d gotten that religion **before** the click.

  9. Recommended addition: DNS Security suggestions

    OpenDNS, Google DNS, etc.

  10. Scott Hollingsworth

    Keep it simple is great. Be prepared to go deeper. Some will ask questions, great questions too! Others won’t. Those who don’t will still need help. Those who do will ask more. I charge more of the ones who don’t ask.

  11. Very nice. Basic as in “easy to follow” and basic as in “requires no computer knowledge”. Plenty of people who use Windows every day would balk at creating a new user.

  12. Brian.. ya NAILED it bud.

    Thanks for all you do.

  13. KRFSSO #3 corollary: “If you don’t need it right now, disable it”

    I apply this rule by disabling all Firefox add-ons (extensions and plugins) when I’m not actively using them.

  14. I took the time to remove items from the startup menu upon first buying my laptop, but did realize that installed programs can automatically place themselves in startup. After reading this I took a look and was suprised to see all the garbage in the startup programs. I removed the unnecessary items and it made a huge difference in boot time. Thanks. Occasionally while surfing the internet on a seemingly safe site I will be redirected to a page for recommended computer scan and appearence of a task bar. I immediately close the window and download nothing, could that still problems?

  15. I think “If you didn’t go looking for it, don’t install it!” should actually be :

    “If you didn’t go looking for it, avoid it!”

    Since many attacks do not seem like an install. They jsut require a click or interaction.

  16. It’s a nice list with good recommendations, but I don’t think it’s enough. I’ve found that many users understand some of these common sense principles for staying safe but the details trip them up. It’s like the second they face an unusual technical situations, their minds freeze and start doing dumb things. So, I give them general advice like you outlined and specific warnings.

    One thing that should probably be added specifically is not opening attachments or following links in emails, especially emails with friends’ names and only links in their body.

    Another warning I give is to never download pirated software. There’s currently a Mac botnet out there that was created by trojaned, pirated Mac titles. I also advise AV scanning any movies, music or pictures people download. Finally, I recommend a HIPS like DefenseWall, Comodo Security+ or AppGuard because they can nullify many zero days.

    The three rules are a nice start. The average user needs just a little more advice to be safe from there.

    • A good point about the email. If I were to add a 4th rule, it would your suggestion about email. I recently had 2 people, not techies, ask me to look at a strange email they got from a friend. Sure enough it was a bot on their friend’s computer and they were smart enough to not click on the link. I also got an email from a friend which was obviously from a bot on their computer. The most obvious thing I tell people to look for is an email with a link that appears to be sent to everyone in the sender’s address book and it is not the type of email usually sent by their friend.

      I also tell them if they are suspicious of an email to google the subject of the email. Phishing email subjects lines will often have already been reported.

      • Yes, I thought an advisory about email messages should be included. Even normally Internet-savvy people can be hoodwinked by phishing email messages.

        • @Heron, that advice is included in #1:

          “Also, avoid directly responding to email alerts that (appear to) come from Facebook, LinkedIn, Twitter, your bank or some other site that holds your personal information. Instead, visit these sites using a Web browser bookmark.”

          • … or have a look at the links:

            For example, you receive an email that Claims to be from Twitter and they ask you to click a link, let’s inspection it a bit:

            If it’s something like http://twitter.com/!/yogem – You can see that the link is genuine but:

            http://twitter.freehosting.com/!/yogem – You can see that the link is NOT genuine at all – Can you imagine Twitter running on a free hosting service? O_o

            Luckily, there are mail clients like Thunderbird and webmails like gMail that WARN the users regarding bogus links usually saying something like ” This email is a fake” (In italian: Questa email potrebbe essere una frode.” – Thunderbird.

            If we CLICK without knowing what we are going to Click, if we don’t have a look at urls that are strange (again, will you trust twitter.freehost.com?) well, maybe we are really going to be part of this game, but if we start trying to understand what we are going to visit I am sure that this kind of treats are going to slowly disappear or becoming just minor problems.

    • I just want to answer regarding movies, music and pictures: You should scan archived files that are claimed to include movies, music and pictures! A file dot mov, cannot include scripts, a dot jpg/png/gif (and so on) cannot include scripts, a mp3 file cannot include scripts but after you deflate an archive you don’t know what is going to be inside: doubt of auto-deflating archives, doubt of images with an extension that finish with .exe/.bat/.com (in windows cases) exe files can have also icons that resemble a picture, on mac if you try to open an image that in reality is an application, the system will warn you asking if to run it or not.

      But again, a well studied phishing/hacking attack can convince people to do stupid things so again:

      1) “If you didn’t go looking for it, don’t install it!”
      2) “Great, you installed it and it’s safe!? Now, update it.”
      3) “Don’t need it anymore? Remove it!”

  17. Brilliant – exactly what is needed for naive users. Thanks.

    Two points: firstly, a reminder that PSI is for personal use only – use in a commercial environment is strictly prohibited by the licence; secondly, PSI uses Java (on Firefox anyway) so do not uninstall Java if you wish to use PSI.

    • Peter,

      Thanks for the kind words. Just FYI: PSI does *not* require Java. That’s only if you want to run their Online Software Inspector.

      • Oops! Yes, of course you are right – I was thinking of the online version (hence the reference to Firefox). Sorry…

  18. “If you didn’t go looking for it, don’t install it!”
    I agree. But you should still screen your files or installers even if you got them from a very reputable download repository, such as Download.com.

    I used to be a software reviewer and I’ve downloaded thousands of files from Download.com. 20% of all my downloads are either corrupted or infected with viruses (even if the website certified that the software is spam, malware, or virus-free).

    How do I know? I use a crowdsource antivirus system, like VirusTotal.

    • Not to be rude but doesn’t that define the term disreputable.; how is that acceptable? 1 in 5 downloads will infect your computer?

      I always try to go to the software website or something like sourceforge. As far as I know I have never had one infected file due to application installs.

      • The fact that 1 in 5 downloads “may” infect your computer it’s true, the problem is the average usage of a computer, I mean: Who operate the computer and how?

        If you are searching for porn, games, nulled software you can have also 5 in 5 downloads as infected.

        Obviously if you search for open source applications, like in source forge, or applications that are reputable and installing just the applications you really know and trust… well you are a particular “part” of the audience and I am sure that like me you are going to have 5 in 5 downloads NOT infected and not a treat at all.

        Let’s imagine this 3 rules just for newbies and/or for people that can be potentially “tricked” by suspicious ADs all over the internet.

        • I was referring to the original post which stated that the download.com was reputable AND 1 in 5 apps are infected. Something’s wrong there.

          I don’t think I’m very advanced. When I see an interesting program I go to the developer’s site out of curiosity. If I’m interested that’s where I’ll download it from.

          • Oh… ok, sorry!

            Regarding Download.com.. it’s not a reliable source! Many applications are linking websites that are not available anymore and someone with bad intentions can decide to do something like this:

            Searching a popular application with a not working link, checking if the domain is expired, if yes buying it – compiling a malware, creating a download with the same name, in the same position as specified on Download.com and ta-da! You have a new malware spreading in town…

            So the best source is, as you stated: developer website.

  19. I’ve always found one rule that trumps them all and provides the best protection:

    Learn critical thinking skills and utilize them in all that you do, to the point it’s a habit you don’t even realize you’re doing.

    This allows you to stop and think about things before acting, analyze and observe what is before you and question assumptions, then make appropriate decisions that keep your safety in check.

    I’ve noticed for years now that many, many people fail at a basic level to do this and they subsequently suffer the consequences. Yet, in the end, instead of looking at how their own actions or inactions contributed to the problem, they point fingers elsewhere (the victim mentality).

    • I think if you’re actually successful at accomplishing this with users who have had technology thrust upon them, you may be in the wrong profession.

      • “technology thrust upon them”

        To me, that sounds like an excuse. Granted learning new things can be difficult. I’ve found it so as I’m getting older. But, there is no excuse for not taking the effort to learn something, at least enough to make it benefit you, instead of the opposite. I don’t know a whole lot about a great many things. But, I take the time and effort to ask questions, make observations, and learn about those things that may have an impact on my life so I can then take appropriate steps to protect myself. I’m not a car mechanic, electrician, plumber, etc. But, I’ve learned enough about these things to understand their inherent dangers and how best to avoid them, while at the same time I have the ability to do some of my own repairs on such systems and know when it’s time to call in the professional. Is it so difficult for the average person to do the same in learning how best to operate a computer? Are computers really that scary? Are people just that lazy or stupid? We shouldn’t have to beat these security rules into people’s heads over and over time and again! At what point do people stand up and take some responsibility for their own actions?

        • @xAdmin
          When I got my first computer I had to put it together myself. This was before the IBM PC or the Apple I or the Radio Shack Model I. I was just fascinated by computing. Not everyone is like me. Not everyone is like you.

          Many smart people are not fascinated by computing but are very talented and use “critical thinking” in other fields.

          Today, the computer has become almost a necessity. Everyone wants your email address. When you need information on something they will give you a web address, or they will tell you to ‘google’ it. Technology WAS thrust upon them. Instead of being just a tool to help them with their other work it has become a major task all on it’s own.

          The rapidly changing technology in the computer field is not the same as the automobile or plumbing. If it was we wouldn’t even need this blog. We don’t have constant critical upgrades to apply to the layout of the dashboard, the transmission, the clutch, etc. to the car we just bought last year. We don’t have monthly patches to apply to keep our car or our water safe and keep hackers out.

          Maybe many of the people you have dealt with use it as an excuse, but I would be hesitant to label all people who have trouble dealing with computers/software as lazy or stupid.

        • @xAdmin, I need to agree with Aminof because yes, maybe the computer now is a fundamental tool, something we cannot miss, if you have a look… computers surround us.

          Dual Core Mobile Phones, Computers in our Cars, Computers inside TV (or Computer disguised as TV) and so on but labeling people as Lazy and Stupid is too much.

          I remember when I was a Kid, I was already dealing with Backdoors on Windows 95 while my dad was asking me help to use the VideoTape recorder, he was not able to switch from TV to AUX, one day he also recorded over a show I was supposed to watch, but no one ever said “Old generation is stupid because cannot use well a videotape player”.

          Now, after 20 years our parents are the same, they call us just to know why there’s no internet, why there’s no audio, why they got a virus… but they are not stupid or lazy.

          I know how to deal on this things, as well many of the followers of this blog… because we are into tech, because we love this kind of topics, because! And we live our life…

          Others have a normal life too, maybe some are doctors dealing with cancers as every day rule but totally ignorant about computers. They still save people while we save computers – So, are you sure are lazy or stupid? I dont think a Doctor will point his finger on you saying “Stupid or Lazy” because you are not able to cure a patient with a terminal cancer!

        • I should’ve avoided referring to people as lazy or stupid, as that has obviously detracted from my main point(s). For example, let’s take the latest Mac malware issue.

          Mac malware spreads via Facebook links
          http://nakedsecurity.sophos.com/2011/05/31/imf-boss-rape-video-mac-facebook-users-hit-by-a-sick-scareware-attack/

          Now think about all the steps that are needed here and how critical thinking or lack thereof comes into play on a mulitude of levels:

          1. You’re on Facebook. That in and of itself has all kinds of implications. Just kidding 😉
          2. You see a comment from a friend on your wall linking to a seemingly seedy video. Did they mean to post this? Is this really from your friend? Do you hover the mouse over the link to see where it goes or just click on it?
          3. You couldn’t resist and clicked the link and now you’re on some website that pops up security warnings that your computer is infected. Do you take that at face value and proceed as directed?
          4. You decide to proceed (you really want to see that video) and are prompted to step through the installation process. If prompted for your credentials, do you provide them? Do you continue and finish the installation?
          5. The installation is complete and now you are prompted to enter your credit card information to “clean” your system? Do you enter that information?
          6. You’ve entered your credit card information and still cannot see the video. Do you realize the implications now? Do you know how to remove the malware? Do you contact your credit card company?

          Ugh! What a mess! Now, if you were skilled in using critical thinking, you would’ve never even completed number 2! Or had to rely on Krebs Number One Rule! 🙂

    • I think the 3 basic rules listed here give a non-technical user the basic questions to ask themselves which is what you’re actually saying the user should be doing. Whether you would consider this “critical thinking” or not, I don’t know, but it appears to me that the rules are more specific as to how the user should get started in identifying possible dangerous actions.

  20. Good article. Keeping it simple is always a good thing. But what about the latest Facebook likejacking scam. That is, how do I know it wouldn’t happen to me when I clicked on YOUR link from Facebook? (Rhetorical question)

    Below is the link that describes the problem. Conversely, do you trust a link from a stranger? (Rhetorical Question)
    http://nakedsecurity.sophos.com/2011/05/27/baby-born-amazing-effect-no-another-facebook-likejacking-scam/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29

    • “[D]o you trust a link from a stranger?”

      No, Gigi, not even those in your post! Brian has us well trained.

      • @JBV Yes, I can understand your not wanting to click. I am a stranger. But with Facebook, people are all too trusting because they perceive a friend’s link as being “safe”. That is precisely how this “likejacking” thing seems to spread. It is like a vicious combination of phishing and viruses. Social media is being infiltrated the same way email was say 7 years ago. I am hoping that Brian, the expert, can confirm the validity of what I am posting.

    • I think it’s important to keep a perspective on this stuff. Likejacking is usually done when one is actually ON Facebook. Also, in the few times I’ve purposefully tried to click on a likejacking link, NoScript has blocked the attack or warned that something was seriously fishy. In fact, I think the last time I tried to click a likejacking link I ended up having to disable the add-on and restart Firefox before I could even get the dang clickjacking thing to load. It appears to be pretty handy in this regard.

      I’m probably not the best person to ask about Facebook, because I don’t really use it that much (mostly I find it to be a time-suck). I spend far more time on Twitter. But I make the Facebook link available on my site for people who prefer to follow my blog that way.

      • Thanks for responding.Yes, likejacking is specific to Facebook. I am just concerned because I see mobile devices and social media being infiltrated in much the same way as websites and email have been. Anyway, as a security expert, perhaps you know my husband, David Glosser? He runs a free site: DNS-BH – Malware Domain Blocklist Malware Prevention through Domain Blocking. (Just Google Malware Domains, and his site comes up #1 organically.) All the best, Gigi

  21. BTW, xAdmin has a link to the same site I am linking to. He is describing “Mac malware spreads via Facebook links”, which is similar to what I am writing about…

  22. I’d like to through my 2 cents in…

    Far to many people think there is just one OS, Microsoft. Here is an idea. Run something other then that…

    My computer shop depends on MS getting hit but I run Linux (Mandrive 2008.1) and have yet to be hit. Mac and Linux don’t get the bugs like Microsoft does 🙂


#####EOF##### Antivirus is Dead: Long Live Antivirus! — Krebs on Security

07
May 14

Antivirus is Dead: Long Live Antivirus!

An article in The Wall Street Journal this week quoted executives from antivirus pioneer Symantec uttering words that would have been industry heresy a few years ago, declaring antivirus software “dead” and stating that the company is focusing on developing technologies that attack online threats from a different angle.

Ads for various crypting services.

Ads for various crypting services.

This hardly comes as news for anyone in the security industry who’s been paying attention over the past few years, but I’m writing about it because this is a great example of how the cybercrime underground responds to — and in some cases surpasses — innovations put in place by the good guys.

About 15 years ago, when the antivirus industry was quite young, there were far fewer competitors in the anti-malware space. Most antivirus firms at the time had a couple of guys in the lab whose job it was to dissect, poke and prod at the new crimeware specimens. After that, they’d typically write reports about the new threats, and then ship “detection signatures” that would ostensibly protect customers that hadn’t already been compromised by the new nasties.

This seemed to work for while, until the smart guys in the industry started noticing that the volume of malicious software being released on the Internet each year was growing at fairly steady clip. Many of the industry’s leaders decided that if they didn’t invest heavily in technologies and approaches that could help automate the detection and classification of new malware threats, that they were going to lose this digital arms race.

So that’s exactly what these firms did: They went on a buying spree and purchased companies and technologies left and right, all in a bid to build this quasi-artificial intelligence they called “heuristic detection.” And for a while after that, the threat from the daily glut of malware seemed to be coming under control.

But the bad guys didn’t exactly take this innovation laying down; rather, they responded with their own innovations. What they came up with is known as the “crypting” service, a service that has spawned an entire industry that I would argue is one of the most bustling and lucrative in the cybercrime underground today.

Put simply, a crypting service takes a bad guy’s piece of malware and scans it against all of the available antivirus tools on the market today — to see how many of them detect the code as malicious. The service then runs some custom encryption routines to obfuscate the malware so that it hardly resembles the piece of code that was detected as bad by most of the tools out there. And it repeats this scanning and crypting process in an iterative fashion until the malware is found to be completely undetectable by all of the antivirus tools on the market.

Incidentally, the bad guys call this state “fully un-detectable,” or “FUD” for short, an acronym that I’ve always found ironic and amusing given the rampant FUD (more commonly known in the security industry as “fear, uncertainty and doubt”) churned out by so many security firms about the sophistication of the threats today.

In some of the most sophisticated operations, this crypting process happens an entirely automated fashion (the Styx-Crypt exploit kit is a great example of this): The bad guy has a malware distribution server or servers, and he signs up with a crypting service. The crypting service has an automated bot that at some interval determined by the customer grabs the code from the customer’s malware distribution server and then does its thing on it. After the malware is declared FUD by the crypting service, the bot deposits the fully crypted malware back on the bad guy’s distribution server, and then sends an instant message to the customer stating that the malware is ready for prime time.

Crypting services are the primary reason that if you or someone within your organization is unfortunate enough to have opened a malware-laced attachment in an email in the first 12-24 hours after the bad guys blast it out in a spam run, there is an excellent chance that whatever antivirus tool you or your company relies upon will not detect this specimen as malicious.

In short, as I’ve noted time and again, if you are counting on your antivirus to save you or your co-workers from the latest threats, you may be in for a rude awakening down the road.

Does this mean antivirus software is completely useless? Not at all. Very often, your antivirus product will detect a new variant as something akin to a threat it has seen in the past. Perhaps the bad guys targeting you or your organization in this case didn’t use a crypting service, or maybe that service wasn’t any good to begin with.

In either case, antivirus remains a useful — if somewhat antiquated and ineffective — approach to security.  Security is all about layers, and not depending on any one technology or approach to detect or save you from the latest threats. The most important layer in that security defense? You! Most threats succeed because they take advantage of human weaknesses (laziness, apathy, ignorance, etc.), and less because of their sophistication. So, take a few minutes to browse Krebs’s 3 Rules for Online Safety, and my Tools for a Safer PC primer.

Oh, and check out the Wall Street Journal piece that prompted this rant, here.

Tags: , , , , ,

161 comments

  1. and antivirus cannot detect the program is crypted and refuse to run it?

    • …obviously not.

    • The virus payload is crypted beforehand. The crypting is not performed on the target machine itself.

      • i read uyjulian’s question differently. rather than detecting the crypting process i think the reference was to detecting the tell-tale signs of an encrypted file.

        there are ways of detecting such things, but there are non-malicious uses for encrypting binaries, so i don’t know how many false alarms something like that would cause.

        • such as hiding code ? What purpose is to hide code other to steal?

          • sometimes you hide your code to prevent other people from stealing from you.

            it’s not a perfect solution to protecting intellectual property, and i certainly wouldn’t endorse it, but i know that some people do use this technique.

            i’ve even heard of a crypting product years ago that used the same algorithm (MtE) that a virus writer named Dark Avenger created and used in his viruses. Alan Solomon told me the legal ramifications of false alarming on legit binaries encrypted with that algorithm was what kept Dr Solomons Anti-Virus from simply alerting on the the MtE engine itself in order to catch all the malware that used it.

            • Ah.
              Instead of full-on false alarming just warn the program is crypted and av can’t check ?

            • So detect the crypting process…. and CHECK against a whitelist of known trusted binaries, before flagging it as malware. Anything both crypted and not whitelisted = Malicious.

              • That’s a bad idea, because now software developers will hate you because you’ll be tagging their software as malicious, and users will hate you for marking legitimate software as malicious.

                • I’m not worried about a few software devs having some issues; using crypter-like methods to “hide” your code is a lot like walking into a convenience store wearing a ski mask; don’t be surprised when the police or “overzealous” police suddenly show up to escort you to the quarantine folder.

                  The developers would simply have to adapt in their ways, once enough security applications have adopted the technique.

                  I think users will hate you more, if you fail to catch malware, because you gave a free pass to software trying to conceal its purpose.

                  • Worth mentioning so we know, their exits some module of which are very close to impossible for AV to see any trace of encrypted data in the binary and the decryption of the payload into memory will happen just like magic with a simple genuine algorithm , the Issue is little complex than we think. 🙂

    • Bad, bad propaganda

  2. lying down, not laying down.

    • “Laying down” is grammatically correct. But in all other instances, the bad guys lie.

      • “Laying down” is absolutely, emphatically, 100% grammatically wrong. To lie down is to put oneself in a horizontal position. To lay down is to place something on a surface.

      • Original was incorrect but informal . You lie down by your own effort; you lay something else down.

        • Lay requires a direct object (transitive); lie does not (intransitive).

          “But the bad guys didn’t exactly take this innovation laying down” is wrong. “Lying down” is correct.

          • Not so: you don’t lay down yourself, you lay down your arms.

            • Wrong, svefehd. As Jerry pointed out, “lay” is a transitive verb, and it is therefore used, rather than “lie,” when a direct object follows. The direct object could be “your arms,” as in “You lay down your arms,” and it could also be “yourself,” as in “You lay yourself down.” Both examples are correct. Recall the child’s prayer: “Now I lay [not lie] me down to sleep.” The child could either “lie down” or “lay me down.” Both are correct. What he can’t do, grammatically speaking, is “lay down.”

    • Sheeze! I thought I was bad at going off topic! :/

  3. Great article as always. Customer education and layered security is the best approach. Helps to read your blog to stay abreast of schemes we may not have know that someone communicated to you. Keep up the good work!!!

  4. Boy, I really need to work on my rant skills.

    • Dennis the Menace

      I was going to suggest that…

    • Your ranting is alright but the raving is where you really shine.

      • HA! 😀

      • Yeah, I suppose I should really focus in and nit-pick one part of someone’s reply and completely ignore everything else they said. That’s a far more sensible option and certainly not a complete waste of everyone’s time.

  5. What a great explanation of crypting services! AV is still essential on any PC, but a layered defense is best!

  6. I just read your 3 rules for PC safety and they bring up a question. When I open windows mail it automatically goes into send and receive, when the new mail is shown it most often opens the most recent mail and quite often also opens the attachment as well if there is one. Since opening unwanted mail is a bad thing this seems dangerous how can I make it stop.

    • Get a different email client! One that doesn’t automatically open anything – ever!

    • Microsoft Live Outlook(hotmail), doesn’t do that either!

    • Most email clients have configuration options. Most likely, you can configure your client not to automatically open attachments.

      Regards

  7. Daniel Schrader

    A former employee of Symantec – and Trend Micro, and of other security companies, I can tell you that the better AV products stopped relying on file scanning as the primary means of protection years ago. The better solutions – BitDefender, Kaspersky, Symantec (Norton), and others all provide layers of protection.

    The free av products typically rely on file scanning. The suites also include file reputation (has that file been seen before and is is assocated in with malicious type behavior), source reputation, heauristics, IPS, traffic monitoring…..

    The point is that the phrase “AV is dead” is meaningless – as are those AV tests that only look at file scanning.

    What the security industry really needs is a well funded, independent source of efficacy tests. Most of the efficacy testing is paid for by the vendors – and testing this stuff is very expensive. I used to help manage some of the competitive testing at an AV company – so I know how they stack the deck. The magazines that review these products long ago stopped doing independent testing.

    There are big differences in detection rates between security products – good luck trying to find the data.

  8. What about a whole new approach. The AV folks test every application out there. Anything NOT marked ‘good’ is automatcally quarantined.

    • that’s not new, that’s called whitelisting. many AV vendors provide whitelisting functionality these days.

      that being said, it’s not easier than compiling a list of all the bad software out there, it’s actually much harder for 2 reasons:
      1) there are orders of magnitude more good binaries than bad, and the number of good binaries is increasing orders of magnitude faster than the bad ones (see here http://anti-virus-rants.blogspot.com/2008/05/bad-really-is-in-minority.html)
      2) the only criteria we have for declaring something is good is that we can’t find anything bad in it, so we’re still left with looking for the bad things, even when compiling a list of good things.

      • I have Windows Parental Control application white list turned on my honey pot – it does pretty well. It only worries about the executables already on the machine; any thing new tries to run, it gets squashed. It seems to work very well, and I still have good functionality. If I have something I need to run, I allow it in the administrative account. Of course there is always the UAC also.

        I find that a good HIPs goes a long way too. I’m beginning to think that is almost all Emisoft uses on their anti-malware product. Anti-virus is dead – long live the anti-malware! 😀

      • The file reputation piece is useful as another bit of sauce in the AV suite pie.

        In a trial installation I found a top rated whitelisting application required too much administration to make it practical. I have similar feelings around AppLocker.

        • You’re right, and I’m not surprised. Really, whitelisting’s best use is in cases where a workstation’s – or server’s – functionality is strictly defined, and only certain executables are ever supposed to run with few to no exceptions. That’s way more often the case with corporate/enterprise systems, and very rarely so with general use home systems. Too much general functionality is demanded of home computers and mobile devices to make whitelisting truly practical. So while it’s attractive, it ends up being so blasted time consuming that it drives an end-user crazy. And risks having them relax security in order to end the aggravations.

          It has its positives, but all I have to think about is making my mother, or various aunts implement this and I can see what a support burden it would be.

          I’ve often liked the idea behind Tripwire i.e. create a baseline hash of executable and monitored files when in a known safe, not-compromised state, then regularly rerun those hashes and see what’s changed, then flag it for examination. Problem is, on the individual workstation level that’s even more time-consuming than straight-out whitelisting, and will often give tons of false positives. Enterprise Tripwire would of course have automation tools, but that’s too big a cost to the end user, not to mention too big a burden.

          I don’t know what the solution is. I’ve heard many suggestions converging on cloud computing and eventually virtualizing the entire user profile and desktop experience, but I’m sort of wary about those ideas. I just don’t know how to solve the problem.

          • My whitelisting approach isn’t too difficult. Stuff is whitelisted by where it’s located in the filesystem. If it’s located where only an elevated Admin could put it, then it is allowed. Non-Admins or unelevated Admins can use what’s in those locations, but they (or something exploiting their limited powers) cannot put new stuff where execution is allowed* Anything that colors outside those lines is arbitrarily denied.

            Is it perfect? No. Some software is *designed* to color outside the lines. The Steam game client and the consumer version of Google Chrome are a couple offenders. Definitely power-user territory for the home user. As you move across the spectrum from home to SOHO to SMB to enterprise, I think it gets more practical. This does assume the Admin rights are in trustworthy hands to start with, but if they’re not, you’re sunk regardless.

            *unless it can pull off a privilege escalation or a social-engineering technique to trick them into elevating. But that would never happen, no sir 😉

    • And who’s going to pay to test every build of every piece of software for every OS for every architecture out there?

      The creator? There goes the open source movement and, therefore, the internet. And all small companies and start ups. Hell, I doubt even the big companies would be able to afford it. Innovation would die. Profit margins would dive.

      The buyer? Many of them won’t shell out for existing AV products; no-one’s going to pay enough to cover even the bureaucratic cost of scanning very piece of software used, let alone cover the cost of the actual scanning process.

      And if it was done, what would happen? The bad guys would start writing nice little free utilities that turned bad a few weeks later. How do you test software that parses rulesets? That exhibits odd bugs in certain circumstances? We fail to find bugs when software has been written with the best intentions, we have no hope of finding bugs that have been deliberately, discretely added.

    • Savant Protections makes a pretty good whitelisting product, it does require some configuration and testing when you first get going but after that it does pretty good at preventing new changes. Of course for the best results you have to make pretty narrow filters which can cause problems on systems that have a lot of changes happening all the time.

  9. This is why I generally use multiple layers of AV products. Currently I use MSSE as my primary along with herdProtect as my last line of defense. Works great so far!

  10. Bad, bad propaganda! Anti Viruses must die, they destroy regular software products of different small companies (they simply say that that exe is a malware and all is finished for that developer). Who are these AV companies to make unfair practice when they want to do it ?! ha ?!

  11. Hi, Brian! How are you?

  12. Guys let me tell you this “its business!” do it so that you can earn.

  13. Curious. Brian, in your 3 Tips section, you mention Download.com.
    Have you ever tried to download something from that C|NET site? OMG… the site may have a legitimate app to download, but the ads mimic the download buttons too well. Like a magazine that feels it is immune from the ads it sells space to (aka income), I refrain from web sources that propogate and rather, visit the original creator’s home.

    I think C|net needs a swift hit on their income to realize how they contribute to the issue of end-users getting taken. Even a saavy person will have to hesitate on d/l where the link isn’t what it appears.

    Adservers, and advertisers should also be held accountable for their “poorly” crafted ads and servers hosting them. And how some apps (say for iPhone) incorporate ads as an income source, some ads are so poorly designed or obnoxious that, the user will not take the product as “reliable”, “trustworthy” or effective. Go the pay route or enlist the ads that aren’t headaches.
    Plus the news that in the future, Google doesn’t want any URL indicators? So we won’t know where we are?

    • Hi Eddie,

      Yes, I have written about it

      http://krebsonsecurity.com/2011/12/download-com-bundling-toolbars-trojans/

      It’s awful now, I agree. It was more mentioned as a way to view reviews on software before downloading. And in the next sentence, I say always download from the source, for that very reason.

      • Get a good tool such as “AdBlock Plus” and the fake download links won’t even show up.

    • I can’t help but reply here, because that whole CBS takeover of CNET, ZDNet, and Tech Republic is a thorn in my side. Because of their greed, they’ve practically ruined all of those formerly popular assets; I can’t log into most of their discussion because of all the attempted page redirects, and malicious ‘malvertisements’ my browser gets hit with when I lower the defenses so I can post over there. So it isn’t just the downloads that are a disaster, but the whole CBS family that is going down hill. It makes me very angry, because those sites used to be my favorite hang outs. It will just be a matter of time before the robber barons soak them for all they’re worth, and throw them into the garbage dump of history.

    • I know make more money cleaning and removing the insane amount of crap bundle with the Cnet downloader then I do from dealing with actual malware.

  14. Brian – me and my friends who develops software protection technologies (aka exe-protectors, exe-packers, code virtualizers, license key systems) are innocent victims of those antivirus engines who tags anything suspicious as a potential virus (false positive detection).

    Software like PELock, Themida, VMprotect, Armadillo, Obsidium are used to protect legit software products against cracks, patches, keygens and all kind of nasty stuff from the hands of crackers.

    But when someone wants to use our products they usually find themselves in troubles because of the low quality antivirus products who tags protected software as a virus.

    I have lost many customers because they wouldn’t accept this to happen to their final products (imagine someone downloads their software and antivirus warning pops up – it’s a disaster for software maker), and there are so many antivirus products on the market it’s virtually impossible to cooperate even with a small number of their developers (I don’t even have to tell you it’s hard or even impossible to reach them and work out some solution).

    There’s a light at the end of this road called TAGGANT technology, but still I think many antivirus products are low quality and tags everything suspicious as a virus without any decent proof (hash, signature from the known malware, behavior analysis or anything that clearly would state it’s a malware).

    I think antivirus products works this way so they can earn more money from their customers, it’s always easier to tag something as a virus then properly analyze the file – it would require more work from the antivirus developers.

    I’ve been working in the past for several antivirus companies and I know how they treat it – without much attention. One funny example – one antivirus company claimed they are supporting detection of my exe-protector (so they can scan the protected file content beneath the protection layer) but I didn’t even spoke to any of their developers and they didn’t even bought the license of my software – they either had to analyze a limited demo version of my protector or have used carded copies of my software released to the Internet. That’s how much they care 😉

    PS. I don’t use any antivirus product – after my experiences I think it’s a garbage software that slows down entire PC, it cannot properly detect legit protection technologies and in the end can’t even protect against latest malware that is properly tested against antivirus products – so what’s the point of using something like that? The answer is simple – none 😉

    You still don’t believe me? Read about Stuxnet – it wasn’t detected for months by any antivirus product until someone manually analyzed the thing and add detection signatures to the antivirus products. Do you think it’s different for other complex malware? Think again.

    • Most users go to CNET and read the user reviews on there. It would promote your product if you would submit it to download.com for dispersal. Your Armadillo has no user reviews even though it is available. I’ve always taught my clients to regard products with no reviews as suspicious, and to watch out for products with canned reviews that are obviously from spammers, or shills working for the company.

      It is kind of a what comes first the chicken or the egg? I realize that, but that is the reality of new software in the market. You could always try File Hippo or majorgeeks, I’m not sure what it takes to get your software listed on those sites, but they are some the best!

    • “Software like PELock, Themida, VMprotect, Armadillo, Obsidium are used to protect legit software products against cracks,”

      That may be the intention, however, they obscure the code, or include non-deterministic self-modifying code. They can obscure malicious behavior, and crackers still manage to defeat the “protections”, anyways.

      I am not willing to use or recommend any software product that uses means to obscure the executable image and prevent or deter analysis of what the software does at a low level, when run on my CPU… it is definitely not legitimate, even if the goal intended to be accomplished of deterring software piracy is legitimate: there is a problems with the means, that is: attempted concealment of the binary code being executed is never legitimate.

      “Read about Stuxnet – it wasn’t detected for months by any antivirus product until someone manually analyzed the thing and add detection signatures to the antivirus products.”

      What you have there is called an outlier; the vast majority of threats antimalware has to deal with are nothing like stuxnet. The detection rates for the AV-comparatives shown for Kapersky, Emsisoft, etc, are pretty compelling.

      Although… at 99%, you are still expected to be infected after a few attacks, unless you combine multiple malware detection methodologies, including whitelisting, patching, and the use of exploit mitigation tools such as EMET and additional non-standard sandboxes (beyond protections the attacker will expect).

      • It seems any solution has to run in the kernel space to have a ghost of a chance of resisting manipulation of malware in the 1st place. Most of the successful players have move into that tactic for now. Tomorrow – all bets could be off!

    • Unwanted software is unwanted, regardless whether the goal is to compromise the machine or just subvert normal user behavior so that they cannot control some product they ostensibly paid for. Sounds like the AV is working as intended, preventing hidden system level changes the purchaser probably didn’t know about or want to begin with.

  15. I feel AV is like a smoke detector, by the time it goes off the house is already on fire, maybe enough time to throw a chair thru the window and get the hell out.Or if the burglars trip the alarm i may have enough time to put on a robe before the guys with guns and ski masks are bedside.Most of the people in my city have little more than Windows , glass Windows to protect them from crazed punks and wild animals…. which are constantly roaming, probing, looking for one small crack to slip inside.

  16. I found this a really valuable post. It’s interesting that the WSJ writer didn’t bother to discuss the reasons why antivirus is dead as this post did. He just threw it out there with no context. I think the issue is much bigger than just antivirus. All signature based solutions face the same issues. For example WAF, IDS, etc that are based on signatures are also vulnerable to obfuscation attacks. I’ve watched dozens of YouTube videos on how to quickly walk around these devices. Feels like there’s going to be a seismic shift in IT security strategies over the next couple of years as the industry moves away from signature-based technologies.

    • As mentioned previously, the fact that an executable file is obfuscated or encrypted is in itself an indication of a suspicious file. If there are also other suspicious indications (such as location on the computer, file size, detail registered with the operating system, an invalid digital signature, a bad file “envelope”, and other common sense indications, that adds more validity to the detection as malware. And this can be done without file parsing and complicated techniques like emulation or sandboxing. The AVs need to work smarter, not harder.

      • Often it doesn’t even appear to be an executable file however. An example is the Win32/Pdfjsc PDF files that exploit Adobe Acrobat. There are endless varieties of these and the signatures can’t keep up. They attach the pdf to a spoofed internal email address (such as a FAX email address) and it will often be opened. With signature based security it’s an arms race you’ll always eventually loose.

        • It is interesting to observe the reaction in my honeypot for those attacks. I had Foxit installed – the attack failed – my HIPS grabbed it, and it was all over! Sometimes it is good to either use applications with fewer vulnerabilities, or at least keep the ones that do, updated the instant a patch comes out. Auto updaters can help here – even if they can’t do the update, they can alert you to the patch.

          I’ve seen many attacks fail just running as a limited user, on a Windows machine running NT5 or 6, as long as the latest updates for everything installed is in force.

  17. what do you think of the idea of when doing banking transactions, booting from a CD like Tails (whose software is frozen in the distro-not patched: isn’t using old software even on linux not safe)

    vs. Win7 w/updated software broswers, etc

    • One of the distros that run out of RAM might be a better choice for banking applications. Something like LPS. Anonymity isn’t really your concern when you’re doing online banking.

      • what live usb /CDs ‘run out of RAM’ ?

        I can’t get LPS to boot off USB yet ……

  18. What I found in email laced malware is that if anyone bother to read the “riot” story that it has bad spelling, punctuations with funny sounding names (I even heard of well known agency heads knowing full well they did not write it) that I automatically delete it.

    One of the reason why they put out these malware is that by the time the AV finds it a problem it is too late so they put out a patch to cover it. Basically it’s an arm’s race between the good and bad guys.

  19. Secunia is good. It caught the only one I didn’t update. Thanks for the tip. Keep up the good work.

  20. Whitelisting (adaptive & intelligent) is the only hope for future malware defense. A combination of whitelisting and blacklisting should now be standard in any environment where endpoint security is taken seriously. Bit9, Savant Protection, Lumension, to name a few. More AV vendors need to get on board…

  21. To be honest, most av software will detect these crypted malware programs due to their so obvious methods of infection. AV software does not rely only on signatures, calls to the the kernel and other IO are all monitored and will result in at least a notification to the user from the av software in most cases. Layers… of course, for companies that is easy, for personal computers at home, layers normally include a simple hardware router and firewall that may do inline scanning if its capable and then software on the OS.

    • I disagree. In my experience they do not detect these programs, nor their activity. If you rely on heuristics or behavioral detection you will miss a ton of malicious activity. Most well-designed malware is created with heuristic detection in mind. Even if you tuning up heuristics to where they are somewhat effective, it also typically degrades user experience. In a lab you can see this. Most variants reveal no detection on places such as VirusTotal.com until hours later, which is all it takes.

  22. Hi, I use a Chromebook.

  23. Frugality, Apathy, Ignorance equals Larceny.
    We must fight the F.A.I.L. !
    My goofy mantra to remind me of my own weakness.

    Thanks for the work you do. Keep fighting the FAIL.

  24. Krebs,

    Thank you for showing restraint on your use of the word cyber. It’s used a nauseating amount and in many inappropriate contexts around the news, so it’s refreshing to read an infosec article that doesn’t make me nauseous.

  25. I agree that as of now the best solution will be layering security and trying to promote consumers to be aware of the problem in order to try to event it. But with technology constantly changing, do you think that somewhere in the future there will be something that can protect from all of these things? The IT industry is growing more and more every day and always coming up with new solutions to problems.

  26. If anyone is still reading this thread–

    I installed & activated EMET 4.0. on my Windows 7 HP business desktop.

    Chrome will no longer allow Shockwave Flash to operate. A yellow bar at the top of the page tells me Schockwave won’t load. The browser is up to date. ( I use Qualys) I checked the “plugins” section of Advanced Settings-Privacy, etc, and all is well there.

    Is anyone familiar with this–in an HP system, or not? HP’s forums don’t seem to have a category for this sort of problem.

    • Chrome uses its own java and flash, you can’t install anything that isn’t on the Chrome store site as an extension. I had EMET 4.1 installed a while back, and saw no Chrome problems, I need to go back to it. I reverted to the 3.o version for a while because of IE9 issues, but I think I could mitigate those now.

      I’m not sure how this relates to HPs. Two of my network machines are HPs and I’m not having any trouble with Chrome, that I can think of, anyway.

      • Problem solved: it turns out that (for my machine) it’s necessary to check the “always allow” box for Flash and Shockwave at the Chrome plug-in management page. I’d assumed that not having the plug-ins disabled was sufficient. Thanks for the help.

  27. Why not just ditch Adobe? They’ve never shown much interest in security–their only interest has been in buying up technology and monetizing it.

    Regards,

    • Adobe gets a bad rap, but they are decent at providing security patches and automatic updates. Also, with Chrome… Flash can be sandboxed, mitigating much of the risk

      Oracle, JAVA on the other hand is an utter nightmare. The security of Java has more holes than a block of swiss cheese.

      Updates to free Java come out very slowly, even when being exploited, and are often batched.

      Also, Java’s “automatic update” functionality” is obtrusive and not very good — they always seem to be trying to trick you into getting a new toolbar with every update and turning BACK ON the Java applets feature that you had manually disabled.

      Also, JAVA5 and JAVA6 are widely used. Many network devices and end user packaged products still require the versions of Java to be installed to manage network equipment, not compatible with JAVA7 or JAVA8.

      Every 3 years, Oracle decides the previous version of free Java is “End of Life”, and stops making security updates for it — even though the vast majority of Java users are not free to upgrade, due to application incompatibility.

      No home user is going to pay Oracle 10 grande a year for security updates… ergo, there are a lot of vulnerable Java versions running around that CANNOT be remediated.

      So Adobe is not the biggest ‘polluter’ here.


#####EOF##### U.S. Government Seizes LibertyReserve.com — Krebs on Security

28
May 13

U.S. Government Seizes LibertyReserve.com

Indictment, arrest of virtual currency founder targets alleged “financial hub of the cybercrime world.”

U.S. federal law enforcement agencies on Tuesday announced the closure and seizure of Liberty Reserve, an online, virtual currency that the U.S. government alleges acted as “a financial hub of the cyber-crime world” and processed more more than $6 billion in criminal proceeds over the past seven years.

After being unreachable for four days, Libertyreserve.com's homepage now includes this seizure notice.

After being unreachable for four days, Libertyreserve.com now includes this seizure notice.

The news comes four days after libertyreserve.com inexplicably went offline and newspapers in Costa Rica began reporting the arrest in Spain of the company’s founder Arthur Budovsky, 39-year-old Ukrainian native who moved to Costa Rica to start the business.

According to an indictment (PDF) filed in the U.S. District Court for the Southern District of New York, Budovsky and five alleged co-conspirators designed and operated Liberty Reserve as “a financial hub of the cyber-crime world, facilitating a broad range of online criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking.”

The U.S. government alleges that Liberty Reserve processed more than 12 million financial transactions annually, with a combined value of more than $1.4 billion. “Overall, from 2006 to May 2013, Liberty Reserve processed an estimated 55 million separate financial transactions and is believed to have laundered more than $6  billion in criminal proceeds,” the government’s indictment reads. Liberty Reserve “deliberately attracted and maintained a customer base of criminals by making financial activity on Liberty Reserve anonymous and untraceable.”

Despite the government’s claims, certainly not everyone using Liberty Reserve was involved in shady or criminal activity. As noted by the BBC, many users — principally those outside the United States — simply viewed the currency as cheaper, more secure and private alternative to PayPal. The company charged a one percent fee for each transaction, plus a 75 cent “privacy fee” according to court documents.

“It had allowed users to open accounts and transfer money, only requiring them to provide a name, date of birth and an email address,”  BBC wrote. “Cash could be put into the service using a credit card, bank wire, postal money order or other money transfer service. It was then “converted” into one of the firm’s own currencies – mirroring either the Euro or US dollar – at which point it could be transferred to another account holder who could then extract the funds.”

But according to the Justice Department, one of the ways that Liberty Reserve enabled the use of its services for criminal activity was by offering a shopping cart interface that merchant Web sites could use to accept Liberty Reserve as a form of payment (I’ve written numerous stories about many such services).

“The ‘merchants’ who accepted LR currency were overwhelmingly criminal in nature,” the government’s indictment alleges. “They included, for example, traffickers of stolen credit card data and personal identity information; peddlers of various types of online Ponzi and get-rich-quick schemes; computer hackers for hire; unregulated gambling enterprises; and underground drug-dealing websites.”

A Liberty Reserve shopping cart at an underground shop that sells stolen credit cards.

A Liberty Reserve shopping cart at an underground shop that sells stolen credit cards.

It remains unclear how much money is still tied up in Liberty Reserve, and whether existing customers will be afforded access to their funds. At a press conference today on the indictments, representatives from the Justice Department said the Liberty Reserve accounts are frozen. In a press release, the agency didn’t exactly address this question, saying: “If you believe you were a victim of a crime and were defrauded of funds through the use of Liberty Reserve, and you wish to provide information to law enforcement and/or receive notice of future developments in the case or additional information, please contact (888) 238- 0696 or (212) 637-1583.”

It seems clear, however, that the action against Liberty Reserve is part of a larger effort by the U.S. government to put pressure on virtual currencies. In tandem with the unsealing of the indictments against Budovsky and others, Manhattan District Attorney Cyrus R. Vance, Jr., announced the formation of the “Financial Intelligence Unit” — a group that will work with the FBI, IRS and Secret Service to more closely scrutinize suspicious activity reports filed by U.S. financial institutions.

“Keeping our Office and its investigations firmly rooted in the 21st Century means mining unique troves of data previously unavailable to prosecutors and investigators to uncover wrongdoing,” Vance said in a prepared statement. “As financial information has made the leap from ledger books to online sources, this new unit will be tasked with making sure these sets of data are analyzed, which will enhance our prosecutions of everything from classic white-collar crimes to street crimes to cybercrime.”

Several of Liberty Reserve’s competitors have apparently seen the writing on the wall and moved to distance themselves from U.S. customers. On Saturday, digital currency Perfect Money posted a note to its site saying it would no longer accept new registrations from individuals or companies based in the United States. “We bring to your attention that due to changes in our policy we forbid new registrations from individuals or companies based in the United States of America. This includes US citizens residing overseas,” the company wrote. “If you fall under the above mentioned category or a US resident, please do not register an account with us. We apologize for any inconvenience caused.”

WebMoney, a digital currency founded in Moscow and probably the closest competitor to Liberty Reserve in terms of users and daily transfer volumes, started blocking new account signups from users in the United States at least two months ago, according to Damon McCoy, assistant professor at George Mason University’s computer science department.

McCoy said that on March 13th, 2013, WebMoney presented him with the following message when he attempted to create an account on the service: “The services and products described on wmtransfer.com and webmoney.ru and offered by WM Transfer Ltd. are not being offered within the United States and not being offered to U.S residents or citizens, as defined under applicable law. WM Transfer ltd. and its products and services offered on the site wmtransfer.com,webmoney.ru are NOT registered or regulated by any U.S. including FINRA, SEC, FSC, NFA, FinCEN, CFTC or ASIC.”

It’s also not clear how the government’s actions will impact Bitcoin, a peer-to-peer digital currency that is gaining worldwide currency and momentum. While Bitcoin’s distributed nature in theory lacks the geographic central point of failure that allowed the US government to take action against Liberty Reserve, currency holders rely on bitcoin exchanges to convert bitcoins into other currencies; those entities must register with the U.S. Treasury Department as money service businesses, and could become a focus point for banking regulators going forward.

As I noted in my story last week, the U.S. District Court awarded the Justice Department control over (PDF) not only libertyreserve.com, but at least four other currency exchanges that worked closely with it. In addition,  a civil action was filed against 35 exchanger websites seeking the forfeiture of the exchangers’ domain names.

Some of the bitcoin exchanges currently registered with the U.S. Treasury as money service businesses.

Some of the bitcoin exchanges currently registered with the U.S. Treasury as money service businesses.

One other big question looms large: How much data about Liberty Reserve’s customers was the U.S. government able to collect from this law enforcement action? According to The Tico Times, a Costa Rican daily newspaper, San José prosecutors conducted raids in Budovsky’s house and offices in Escazú, Santa Ana, southwest of San José, and in the province of Heredia, north of the capital.

But at least one cybercrime expert said it may be difficult for U.S. prosecutors and investigators to glean meaningful and actionable data from any servers or computers seized from Liberty Reserve.

“I would expect that there is a huge chance that most if not all of this data is heavily encrypted,” said Arkady Bukh, an attorney based in Brooklyn, N.Y. who has represented quite a few cybercrime defendants over the years. “Any case I’ve seen where we’re talking about more than $10 million, I always see very good investments in making sure that governments will not be able to penetrate the database without cooperation of the arrested parties.”

Five defendants, including Budovsky, were arrested on May 24. Vladimir Kats, the co-founder of Liberty Reserve, was arrested in Brooklyn, as were Liberty Reserve administrators Mark Marmilev and Maxim Chukharev. In a press conference today, Preet Bharara, the United States Attorney for the Southern District of New York, said the United States would be seeking the extradition from Spain of Budhovsky and Azzeddine El Amine, an account manager for the company.

Update, 2:58 p.m. ET: Added comments from Bukh, the phone numbers for Liberty Reserve account holders seeking more information, and the names of those arrested.

Tags: , , , , , , , , , , , , , , , , ,

315 comments

  1. This does not make any sense to us the innocent users , this action has caused us into much lose. At least they should have compensate us. Because not all of the users are among of the above listed charges against the LR companies , we have lost enough funds due to the prohibition of Lr company, therefore we just hoping the Lr company could come up with logic and valuable evidence to defend their innocence users.
    The above listed charges does not rely only on Lr it is going on everywhere in their highest banking companies in the countries , Governments should consider the innocent users who have been victims due to their immediate actions against LR company..

  2. About the issue of liberty reserve, I will not argue that the medium was not use illegally, the truth is that there is no means of transaction in this world that criminals don’t use for their act. Am not a criminal and I have never use this mean to cheat any body. I have money in my liberty account which I cant afford to lose.

  3. the fact remains that the usa govt is broke and she is looking for someone to fraud. 6b is not a little money if not they should have remembered that there are innocent lr users, and that people can die of heart attack from the shock of the news of the wicked act. So many placed their life servings in FOREX. YES it’s been used for illegal activities by wicked criminals but why not place a restriction on it, maybe ID protection or proof of residence or anything more? why not order the lr company to adjust their policy to maybe normal banking policy or more. Why close them down like that if not for personal reasons which i strongly believe that your eye is in the money inside the company. This is why so many countries dislike usa even if they pretend to be friends..

    • I don’t see how such an order could be enforced. LR had already been ordered to shut down, some years ago, but continued to operate illegally.

  4. I myself have money in my LR account and I am just a hard working woman that is supporting a fiance overseas Iam far from a criminal wouldn’t have the slightest idea what or how to do it. I am angry though that there were n0 notifications issued in regards to the seizure etc. I feel for all the people who have funds in their LR accounts as well as the businesses that use it as well. And why not investigate other companies that are on the similar line there must be more out there somewhere.
    I just hope us “little people” can get our money back as soon as possible. Too much stress for any person is not good..


#####EOF##### Pro Grade (3D Printer-Made?) ATM Skimmer — Krebs on Security

07
Dec 11

Pro Grade (3D Printer-Made?) ATM Skimmer

In July 2011, a customer at a Chase Bank branch in West Hills, Calif. noticed something odd about the ATM he was using and reported it to police. Authorities who responded to the incident discovered a sophisticated, professional-grade ATM skimmer that they believe was made with the help of a 3D printer.

Below is a front view image of the device. It is an all-in-one skimmer designed to fit over the card acceptance slot and to record the data from the magnetic stripe of any card dipped into the reader. The fraud device is shown sideways in this picture; attached to an actual ATM, it would appear rotated 90 degrees to the right, so that the word “CHASE” is pointing down.

On the bottom of the fake card acceptance slot is a tiny hole for a built-in spy camera that is connected to a battery. The spy camera turns on when a card is dipped into the skimmer’s card acceptance slot, and is angled to record customer PINs.

The bottom of the skimmer device is designed to overlay the controls on the cash machine for vision impaired ATM users. On the underside of that space is a data port to allow manual downloading of information from the skimmer.

Looking at the backside of the device shows shows the true geek factor of this ATM skimmer. The fraudster who built it appears to have cannibalized parts from a video camera or perhaps a smartphone (possibly to enable the transmission of  PIN entry video and stolen card data to the fraudster wirelessly via SMS or Bluetooth). It’s too bad so much of the skimmer is obscured by yellow plastic. I’d welcome any feedback from readers who can easily identify these parts based on the limited information here.

Here’s a closer look at the circuit board on top, which looks like some type of Flash storage device:

Here’s another look at the electronic parts wedged into the back of the skimmer:

It appears from the following image that the data storage capacity on the device is connected directly to the mag stripe reader (top, silver wire), while the device’s video camera is wedged behind the pinhole (bottom, gold wires).

The investigator I spoke with about the incident didn’t know much about the innards of the device, and said that those responsible have not yet been caught. But he did have something interesting to tell me about the origins of the skimmer: “It is believed that the green skimmer was made with the Stereolithography process.” Translation: The cops think thieves produced the card skimmer molds with the help of 3D printers.

These hi-tech and costly machines take two dimensional computer images and build them into three dimensional models by laying down successive layers of powder that are heated, shaped and hardened. In September, I detailed how U.S. investigators had arrested four men in Texas who allegedly built their ATM skimmers using a 3D printer they’d purchased with the proceeds of their skimming business.

In related news, New York County District Attorney Cyrus Vance earlier this month announced an 81-count indictment against three men suspected of planting skimmers at ATM machines in Manhattan. The indictment alleges that the men used the skimmers to steal the debit card numbers of nearly 1,500 individuals, and then exploited the stolen debit card numbers to make more than $285,000 in fraudulent transactions.

In the press release that accompanied the indictment, the district attorney released several images of the skimmer devices allegedly planted by the Manhattan trio. While these devices relied on a separate façade that held a hidden video camera to record customer PINs, there is little question that the same Chase ATM design was targeted. In the picture below, the hidden camera is the squarish silver block mounted vertically to the left of the PIN pad. An enlarged picture of the camera façade follows this one.

A compromised ATM in Manhattan. Image: NYCDA.

A hidden camera and card skimmer part seized by authorities in Manhattan.

Hidden camera footage of a customer entering his PIN. Image: NYCDA.

If you visit a cash machine that looks strange, tampered with, or out of place, then try to find another ATM. And remember, the most important security advice is to watch out for your own physical safety while using an ATM: Use only machines in public, well-lit areas, and avoid ATMs in secluded spots. Also, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well.

If you liked this post, consider checking out the other stories in my ATM skimmer series, All About Skimmers.

Tags: , , , ,

71 comments

  1. an astonishing level of sophistication that the Bernard Madoffs of Wall Street and big business couldn’t match on their best day.

  2. According to Samsung’s website, the chip shown is a 32G Nand FLASH memory.
    http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=672&partnum=K9LBG08U0M&xFmly_id=157
    or
    http://www.samsung.com/global/business/semiconductor/partnumberSearch.do?webpartnum=K9LBG08U0M&cdnpartnum=&ppmi=PartnoSearch

    Now this is purely speculation, but I’d guess the chip with board were lifted out of a memory card, eg SD or microSD.

    • That board’s not from a memory card; memory cards don’t have TSSOP packages inside them (they’re too thin). Rather they use bare dice. This looks like part from a video camera that has internal flash; there appears to be an SD card slot on the other side of the PCB, with a card fitted.

  3. So much for covering the keypad when using an ATM and tugging on the card slot to make sure it is legit….I just learned that despite these measures my ATM card was compromised and 10 withdraws were made over two recent days in Bogota, Colombia. I have used this ATM card in Colombia before, but the last time was in February 2011. I had also used it 3-weeks earlier in Buenos Aires and had problems with an ATM at Ezeiza and at another ATM at a hotel. Both ATMs were owned by the bank that issued my debit card and as mentioned above I always tug on the card slot and cover the key pad with my hand….not a great Christmas present….

    • Sorry to hear that BL!;

      I guess that is why they use these new devices. They fit just like the original, and won’t be knocked loose. The 3D printing assures that.


#####EOF##### How Was Your Credit Card Stolen? — Krebs on Security

19
Jan 15

How Was Your Credit Card Stolen?

Almost once a week, I receive an email from a reader who has suffered credit card fraud and is seeking help figuring out which hacked merchant was responsible. I generally reply that this is a fruitless pursuit, and instead encourage readers to keep a close eye on their card statements and report any fraud. But it occurred to me recently that I’ve never published a primer on the types of card fraud and the likelihood with each of the cardholder ever learning how their account was compromised. This post is an effort to remedy that.

carddominoesThe card associations (Visa, MasterCard, et. al) very often know which merchant was compromised before even the banks or the merchant itself does. But they rarely tell banks which merchant got hacked. Rather, in response to a breach, the card associations will send each affected bank a list of card numbers that were compromised.

The bank may be able to work backwards from that list to the breached merchant if the merchant in question is not one that a majority of their cardholders shop at in a given month anyway. However, in the cases where banks do know which merchant caused a card to be compromised and/or replaced, the banks rarely share that information with their customers.

Here’s a look at some of the most common forms of credit card fraud:

Hacked main street merchant, restaurant:
Most often powered by malicious software installed on point-of-sale devices remotely.

Distinguishing characteristic: Most common and costly source of card fraud. Losses are high because crooks can take the information and produce counterfeit cards that can be used in big box stores to buy gift cards and/or expensive goods that can be easily resold for cash.

Chances of consumer learning source of fraud: Low, depending on customer card usage.

Processor breach:
A network compromise at a company that processes transactions between credit card issuing banks and merchant banks.

Distinguishing characteristic: High volume of card accounts can be stolen in a very short time.

Chances of consumer learning source of fraud: Virtually nil. Processor breaches are rare compared to retail break-ins, but it’s also difficult for banks to trace back fraud on a card to a processor. Card associations/banks generally don’t tell consumers when they do know.

Hacked point-of-sale service company/vendor:

Distinguishing characteristic: Can be time-consuming for banks and card associations to determine vendor responsible. Fraud is generally localized to a specific town or geographic region served by vendor.

Chances of consumer learning source of fraud: Low, given that compromised point-of-sale service company or vendor does not have a direct relationship with the card holder or issuing bank.

Hacked E-commerce Merchant:
A database or Web site compromise at an online merchant.

Distinguishing characteristic: Results in online fraud. Consumer likely to learn about fraud from monthly statement, incorrectly attribute fraud to merchant where unauthorized transaction occurred. Bank customer service representatives are trained not to give out information about the breached online merchant, or address information associated with the fraudulent order.

Chances of consumer learning source of fraud: Nil to low.

A Bluetooth enabled gas pump skimmer lets thieves retrieve stolen card and PIN data wirelessly while they gas up.

A Bluetooth enabled gas pump skimmer lets thieves retrieve stolen card and PIN data wirelessly while they gas up.

ATM or Gas Pump Skimmer:
Thieves attach physical fraud devices to ATMs and pumps to steal card numbers and PINs. For more on skimmers, see my All About Skimmers series.

Distinguishing characteristic: Fraud can take many months to figure out. Often tied to gang activity.

Chances of consumer learning source of fraud: High. Bank should disclose to cardholder the source of the fraud and replace stolen funds.

Crooked employee:
Uses hidden or handheld device to copy card for later counterfeiting.

Distinguishing characteristic: Most frequently committed by restaurant workers. Often tied to a local crime rings, or seasonal and transient workers.

Chances of consumer learning source of fraud: Nil to low.

Lost/Stolen card:

Distinguishing characteristic: The smallest source of fraud on cards. Consumer generally knows immediately or is alerted by bank to suspicious transactions, which often involve small test transactions to see if the card is still active — such as at automated gas station pumps.

Chances of consumer learning source of fraud: High.

Malware on Consumer PC

Distinguishing characteristic: Malicious software that hooks into the victim’s browser, and records all data submitted into Web site forms, including credit card information. Leads to authorized online charges.

Chances of consumer learning source of fraud: Discovering the infection? Fairly good. Definitively tying card-not-present card fraud to a malware infection? Very low.

Physical record theft:
Merchant, government agency or some other entity charged with storing and protecting card data improperly disposes of card account records.

Distinguishing characteristic: Usually not high-volume. Less common form of fraud than it used to be.

Chances of consumer learning source of fraud: Nil to low.

I hope it’s clear from the above that most consumers are unlikely to discover the true source or reason for any card fraud. It’s far more important for cardholders to keep a close eye on their statements for unauthorized charges, and to report that activity as quickly as possible.

92 comments

  1. Crooks are getting a new tool which will help them automate some of the steps to drain bank accounts.

    Called FraudFox VM, the software is a special version of Windows with a heavily modified version of the Firefox browser that runs on VMware’s Workstation for Windows or VMware Fusion on OSX. It’s for sale on Evolution, the successor to the Silk Road online contraband market, for 1.8 bitcoins, which is about $390.

    http://www.csoonline.com/article/2871248/fraud-prevention/this-tool-may-make-it-easier-for-thieves-to-empty-bank-accounts.html#tk.rss_news

  2. Keep in mind that it doesn’t need to involve a POS transaction, ever. I had a brand new account that had never been used. The card was filed away by me, and many months later, I had fraudulent charges on the account. Finally managed to get it cleared up, and cancelled the account.

  3. I had a CC with Unnamed Very Large Credit Card Company. It had a fraudulent charge, which I noticed and challenged. So they issued a new account number and a new card. The usual routine.

    I received the new card in the mail, and put it in my drawer. Never activated. Never used anywhere. Surprise! Fraudulent charges eventually appeared on that one too!

    I called to cancel the account completely, and I asked how this could happen, when the card hasn’t even been activated, let alone used. The response was something like “We wish we knew.” This was years ago, and I’ve always wondered if the CC company themselves had been hacked, or their card manufacturer, or what.

    • Some credit card companies will allow “reoccurring subscriptions” to rebill to a new credit card number using the old credit card number. I had that happen with a card I had stolen – the fraud charge they put through was classified as a subscription and the credit card issuer let it through with the old, stolen number.

    • Some credit card companies will allow “reoccurring subscriptions” to rebill to a new credit card number using the old credit card number. I had that happen with a card I had stolen – the fraud charge they put through was classified as a subscription and the credit card issuer let it through with the old, stolen number.

  4. I have no idea how they got it–I’ve been hacked three times. Ironically, I have what I call a “dummy card,” i.e., I only load it with as much as I’m going to spend online, that way, if it gets hacked, there’s nothing to get. It appears to be bullet-proof–it’s never been accessed illegally, and I’ve used it for years.

    • It looks like you have a pre-paid card which only a certain amount is used to fund activity. It’s a great way to prevent it simply there’s not much to get at. I’ve used one via GW and I’ll know the transaction happens immediately.

  5. My wife had her card used on two separate occasions to buy airline tickets. Now how on earth could these people NOT be caught in a situation like this? Assuming they (or the people they bought the tickets for) actually utilize the tickets they could wait right there at the airlines’s gate for these LOSERS and bust them!! Not rocket science, but I’m sure the CC companies don’t have the resources to track these clowns down as often as this happens. Severe jail time needs to be imposed on these LOSERS to dissuade this S**T from happening in the first place.

    • The problem lies in where the thieves are in order to be apprehended. If they are overseas, there are not much law enforcement can do about with the exception of extradition treaties that covers such activities.

    • Typically the fraudster will purchase an airline ticket that is scheduled to depart farely soon (usually same day) in order for the ticket to not be cancelled once the institution realizes it’s a fraudulent purchase. Also, financial institutions do not have the resources nor the enforcement to actively pursue the fraudsters and I can tell you from experience that law enforcement only cares if it is a fairly significant dollar amount.

  6. One could use crowd-sourcing to identify likely sources of large hacks…

    • Great idea! And just how do you propose to keep the miscreants from manipulating the process to produce whatever outcome they want? Think I’d rather trust my bank’s fraud investigations unit.

  7. Mine was stolen in India. I was in a market paying for some Jewelry. They had a Visa sticker and I was short on cash. I handed them my card and before I could say anything they left the booth. One week later when I was home I got a call from my Bank that my card had been hacked. How they figured it out was interesting as they called me before it had ever been used.

  8. I had a card number stolen 3 years ago. I’ll name names because it’s a good story. The Fraud department with US Bank spent more than an hour on the phone with me and we chased down all the fraudulent transactions. We called the merchants together and even talked to the individual people who handled the transactions. I can’t say enough good about what US Bank did.

    And then I brought all that to the FBI. This was something like $10k worth of attempted transactions and with help from US Bank, we had names, dates, and details. In writing. I gave it all to the FBI and it disappeared into a black hole, never to be heard from again. I like to think the FBI went after the bad guys but never closed the loop with me, but more likely nothing happened.

    So Brian, in your tutorial, be sure to tell people not to count on law enforcement for help.

    – Greg Scott

  9. Hi Kreb,

    What about the cards that get scripted by crookers? E.g., the card generators that can target specific issuers/BINs?

  10. Hi Kreb,

    What about those who use card generators to script cards? Althought quite old-fashioned, there is still plenty of examples on the web of crookers who script cards targeting specific issuers/BIN’s

  11. Any InfraGard member will confirm that the FBI does indeed take this type of fraud seriously and definitely does pursue the criminals, even overseas.

    • Re: Paul –

      > Any InfraGard member will confirm that the FBI does indeed
      > take this type of fraud seriously and definitely does pursue
      > the criminals, even overseas.

      I’m sure that’s what the press releases say. But I also know what really happened in my case when the rubber met the road. Fortunately for me, the crooks were clumsy, the US Bank Fraud department was great, and none of the attempted charges went through.

      And I paid my InfraGard dues a couple months ago at the last meeting here.

      – Greg Scott

  12. A lot of suppliers sell RFID Blocking Card Sleeves. These look like ordinary card sleeves though. I haven’t been able to get my hands on one yet & was wondering if you know how they differ?

    • This has to be the most over-hyped form of credit card theft there is. I do not believe you have to worry about thieves stealing your card number via RFID attacks. This might be different for high-value targets in very hostile areas of the world, but for average users this is a non-threat IMHO.

  13. What about malicious apps on smart phones? That seems to be a open area for organized crime. The growth of financial services on smart phones is tremendous – just a matter of time before malicious apps start to use that ecosystem to steal payment data….

    • Already happening. As long as you don’t jailbreak your iDevice and don’t allow third-party app sources for Android you’re relatively safe though (but assume never completely safe).

  14. LessThanObvious

    I had two cards compromised at a Chevron Station in Redmond Washington. One thing I found odd was that neither credit card company seemed all that interested my ability to tell them the source of the fraud. I’d think they would at least note the source so they can follow the trend from that merchant and inform them of the issue. If they are going to leave it to the card holder to go file a police report on the merchant then they are missing a lot of data, as most people won’t bother formally reporting once the new card is in the mail.

  15. I would challenge the banks and other issuers to prove their security is effective. So few do any independent red team testing, and so many have miserable security, especially for their infrastructure. Fear of service interruptions outweigh good security practice, every day.

    Do what we do. Check every one of your accounts every day and twice on weekend days.

  16. I would also be interesting in knowing how they hack seldom-to-never used cards as some others have reported. Happened to me with a card that I use very infrequently and had probably not been used for a transaction in close to a year.

  17. Mr. Krebs could you please remove this article, if someone researchs about these stuff they can learn it.

    • You sir Alex C are clearly a genius! I would like to second this sentiment Brian: Please remove this very useful article. Why? Because I could do hours of research on my own and get most of the information that way (minus your excellent comments comparing the varying likelihoods of each method).

    • What do you imagine is the harm published in this article, Alex?

      • Yes, many people are hackers from little forums and they see this and try to do the same stuff with their knowledge.

  18. Last week my checking account got charged for BN Membership. I contacted bank & was told Barnes & Noble charged it. The membership is not mine, it’s my son-in-laws. I renewed (1x) for him as a gift in Jan 2014. That means Barnes & Noble STORED my debit card information without my authorization AND renewed his membership without his authorization.

    Spent about 40 minutes talking to 5 different people going through the process of cancelling my debit card, attempt to stop the charge & interim credit, filing a claim, ordering a new card & getting a temporary card.

    • Their website has been infested with MITM attacks I notice lately as well. I was having a hell of time today clicking links on their page. I had to clear out my sandbox and reload browser to get them to work.

      I think using a script blocker in your browser helps alot too.

  19. If your card was used fraudulently and you never made any purchases on the card it could be one of 2 things.

    1. A sneaky wife
    2. You got very unlucky and reissued a card number that was previously compromised years ago. However, that is a long-shot considering CVV/CVC and Expire date checks.

    Here’s another scenario. I was waiting for a Credit Card to be overnighted to me one day. When I got home from work I had the letter sitting on my porch. When I opened said letter it was not my Credit Card. The mailman delivered my neighbors replacement card down the block. However once opened, it was very easy to lift the card off the back of the paper to view the CVV code on the back and numbers were clearly visible on the front of the card.

    I simply sealed the letter back up and dropped it on his porch.

    Very simple for someone in a mail room, or working for a post office to perpetrate.

  20. I have had to shut down two CC accounts in under five years for fraudulent activity. Neither instance began with the loss of card or any visible hack of my online accounts. I still don’t know how the card numbers were lifted because I didn’t swipe either card at gas stations, ATMs and other places where card readers are likely to be present, either. The cards had been used online, but the passwords were always different (not used in perpetuity, either). I still don’t know how this has happened to me twice — or how to prevent it from occurring again.

    The first time fraud occurred, the charges were made half way across the country in a place I have never visited — for airline tickets. This should have flagged with the card issuer on either count, but didn’t even though I had never previously purchased airline tickets with that card, let alone in excess of $1K worth!

    The latest instance is even more puzzling in that there must have been a clone of my credit card made because it was used at physical addresses (stores and gas stations within 50 miles of my home). How did they obtain a physical duplicate of my credit card if I never lost it?

    My first reaction is to assume this theft traces to some online use even though I have never been aware of a hack and do not make the usual password mistakes of relying upon the same password over and over again. Then, again, with Walgreens, TJMaxx/Marshalls, Target and Home Depot having breached customer information (not to mention, laptops with patient information stolen from a hospital I went to less than three years ago) it seems almost impossible to narrow down the cause.

    I know this is unrelated but I want to point out the horrible problem with electronic voting machines that don’t have the proper security measures in place and/or who rely on contractors for setup, service and the like. There are some things that should not pass through online networks, period, and paperless voting is one of them — which sadly is too often overlooked.

  21. Or, it could simply be the result of an inside job by an employee who, for various reasons, thinks they can make some quick cash and get away with it….

    “Former Home Depot employee admits to selling customer credit card info”

    http://www.mystatesman.com/news/news/crime-law/former-home-depot-employee-admits-to-selling-custo/nj2Gh/#0b1957a6.3363884.735629

  22. The problem I have with the current system of security breach reporting is the lack of transparency. If there is a security breach, there should be a law that stipulates that at the very least, the customers associated with the payment processing companies, the banks and/or the merchants involved should be notified IMMEDIATELY. If several months go by before even a vague acknowledgement that there was a breach occurred, who knows how many more hundreds, thousands or even hundreds of thousands of customers would be affected? There’s been reports that notification do not go out for even weeks or months after the incident, which is simply unacceptable. Influential consumer advocate groups as well as security experts like Krebs need to push harder for better transparency, instead of falsely aligning with these groups (banks, merchants, processors) who portray themselves as victims (when ultimately the REAL victims are the consumers and customers who have to deal with the ugly fallout, e.g., lowered credit scores, stolen identity, etc.)

  23. Reducing credit card theft begins with PCI DSS security awareness training, which is often overlooked in today’s world of compliance. Both merchants and service providers need to put in place comprehensive training programs for all employees, and for good reason when you stop and think about it. While companies often spend untold sums of money on the latest and greatest hardware and software products, they fail to recognize the importance of training and educating employees on security issues, threats, and best practices. There are a multitude of programs available online, many for free, so there’s really no excuse. Want to stay in business, then protect cardholder data by training your employees on important security issues and threats – it’s really that simple.


#####EOF##### KrebsOnSecurity Hit With Record DDoS — Krebs on Security

21
Sep 16

KrebsOnSecurity Hit With Record DDoS

On Tuesday evening, KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed.
iotstuf

The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second. Additional analysis on the attack traffic suggests the assault was closer to 620 Gbps in size, but in any case this is many orders of magnitude more traffic than is typically needed to knock most sites offline.

Martin McKeay, Akamai’s senior security advocate, said the largest attack the company had seen previously clocked in earlier this year at 363 Gbps. But he said there was a major difference between last night’s DDoS and the previous record holder: The 363 Gpbs attack is thought to have been generated by a botnet of compromised systems using well-known techniques allowing them to “amplify” a relatively small attack into a much larger one.

In contrast, the huge assault this week on my site appears to have been launched almost exclusively by a very large botnet of hacked devices.

The largest DDoS attacks on record tend to be the result of a tried-and-true method known as a DNS reflection attack. In such assaults, the perpetrators are able to leverage unmanaged DNS servers on the Web to create huge traffic floods.

Ideally, DNS servers only provide services to machines within a trusted domain. But DNS reflection attacks rely on consumer and business routers and other devices equipped with DNS servers that are (mis)configured to accept queries from anywhere on the Web. Attackers can send spoofed DNS queries to these so-called “open recursive” DNS servers, forging the request so that it appears to come from the target’s network. That way, when the DNS servers respond, they reply to the spoofed (target) address.

The bad guys also can amplify a reflective attack by crafting DNS queries so that the responses are much bigger than the requests. They do this by taking advantage of an extension to the DNS protocol that enables large DNS messages. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response that is 60-70 times as large. This “amplification” effect is especially pronounced if the perpetrators query dozens of DNS servers with these spoofed requests simultaneously.

But according to Akamai, none of the attack methods employed in Tuesday night’s assault on KrebsOnSecurity relied on amplification or reflection. Rather, many were garbage Web attack methods that require a legitimate connection between the attacking host and the target, including SYN, GET and POST floods.

That is, with the exception of one attack method: Preliminary analysis of the attack traffic suggests that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets, a communication protocol used to establish a direct, point-to-point connection between network nodes. GRE lets two peers share data they wouldn’t be able to share over the public network itself.

“Seeing that much attack coming from GRE is really unusual,” Akamai’s McKeay said. “We’ve only started seeing that recently, but seeing it at this volume is very new.”

McKeay explained that the source of GRE traffic can’t be spoofed or faked the same way DDoS attackers can spoof DNS traffic. Nor can junk Web-based DDoS attacks like those mentioned above. That suggests the attackers behind this record assault launched it from quite a large collection of hacked systems — possibly hundreds of thousands of systems.

“Someone has a botnet with capabilities we haven’t seen before,” McKeay said. “We looked at the traffic coming from the attacking systems, and they weren’t just from one region of the world or from a small subset of networks — they were everywhere.”

There are some indications that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords.

As noted in a recent report from Flashpoint and Level 3 Threat Research Labs, the threat from IoT-based botnets is powered by malware that goes by many names, including “Lizkebab,” “BASHLITE,” “Torlus” and “gafgyt.” According to that report, the source code for this malware was leaked in early 2015 and has been spun off into more than a dozen variants.

“Each botnet spreads to new hosts by scanning for vulnerable devices in order to install the malware,” the report notes. “Two primary models for scanning exist. The first instructs bots to port scan for telnet servers and attempts to brute force the username and password to gain access to the device.”

Their analysis continues:

“The other model, which is becoming increasingly common, uses external scanners to find and harvest new bots, in some cases scanning from the [botnet control] servers themselves. The latter model adds a wide variety of infection methods, including brute forcing login credentials on SSH servers and exploiting known security weaknesses in other services.”

I’ll address some of the challenges of minimizing the threat from large-scale DDoS attacks in a future post. But for now it seems likely that we can expect such monster attacks to soon become the new norm.

Many readers have been asking whether this attack was in retaliation for my recent series on the takedown of the DDoS-for-hire service vDOS, which coincided with the arrests of two young men named in my original report as founders of the service.

I can’t say for sure, but it seems likely related: Some of the POST request attacks that came in last night as part of this 620 Gbps attack included the string “freeapplej4ck,” a reference to the nickname used by one of the vDOS co-owners.

Update Sept. 22, 8:33 a.m. ET: Corrected the maximum previous DDoS seen by Akamai. It was 363, not 336 as stated earlier.

Tags: , , , , , , , , , , , , , , , , , , ,

122 comments

  1. The funny thing is that you got free advertisements for your website.
    I never heard about this website before the attack.
    I think you should thank whoever it is

    • @David
      If you are mugged you may also become famous as being a victim.
      You do not thank your attacker.
      Your comments are ludicrous.

      • If he were running an e-commerce site I’d agree, but this is a blog. Somebody actually pulling this record-breaking feat off to try and silence specifically one voice is nothing but street cred and new visitors. That’s worth being relegated to Twitter for a day or two.

        Like Obi-Wan para-said:

        “If you strike my site down I shall become more powerful than you can ever imagine.”

        It was a short-sighted, expensive (people will be better prepared for iOT-based attacks because of it) and stupid thing to do that only hurt the perpetrator in the long run if they had hoped to profit further from this approach. And I for one am glad the iOT angle became a going concern through this attack rather than something meant to inflict the kind of damage that actually hurts a lot of people.

        If their goal was simply simply spreading awareness, then bravo I’d say. Although maybe a slideshow presentation to the right audience would have been more practical.

    • I agree with you, David. I had never heard of Brian Krebs before the recent IoT-based DDoS attack. It was the IoT part that got my attention and led me to Brian’s site, which I am enjoying quite a bit (my husband does not beleive me when I urge him to use long passwords with special chars on our router, but he’s a geologist, why should he understand? Maybe he will now, because I have been forwarding Krebs’ article to him one by one. Hi honey, if you are reading this! LOL)
      IMHO, this is a better story than the political drama that is the presidential race right now. Why aren’t we seeing this on national TV? It’s monumental in how a DDoS can cripple a company and if they can do this to Brian? why not walmart.com, amazon.com, and others like them? I wish they would, because maybe we would have more awareness. But it’s almost like mass-shootings: people aren’t willing to believe that it could happen to them.

      • You almost wished the dDos attacks would happen to Amazon etc… Be careful what you wish for. Or in your case “almost wish” for. LOL . I AM LOVING THIS TOO MUCH!!! Who exactly is this Krebs guy, and what did TODAY’S attacks do to him? The MILD attack on Mr. Krebs was merely a viability study of the bot of all bots. A pop quiz to help us get ready for the final exam. Guess what!!! We all FLUNKED. God. I really AM loving this just a little too much!!! I wish I had been a part of pulling it off. P

  2. Hey Brian,

    Unlike some other posters, I’ve read your work since long before there was a krebsonsecurity.com. A “Record DDos Attack” is a sad record to behold, and I am sure you agree. To those folks I would say … Just be glad Genghis Khan does not hold that “Vienna Record” or we might be reading krebsonsecurity.com in Chinese.

    Part of the problem is that two big ideas are afloat at the moment with fuzzy definitions: “Big Data” and Internet of Things (IoT).

    “Big Data” refers to projects which will replace many Infrastructure Control Systems (SCADA) – the Extranet of one real big thing, so to speak.

    The Internet of Things (IoT) on the other hand, is a place where the mere addition of “things” can easily make one wish they had never heard the term Distributed Denial of Service (DDoS) attack.

    There is a third “business case” though that is not often spoken about. This third case is the ace-in-the-hole of those in Public Service (Bureaucrats and Technocrats alike). It has been functioning without a DDoS catastrophe since the French and Indian War (1754) to the present.

    Think outside your dinner take-out containers …

    Here is a link: http://purl.org/pii/terms/franklin

  3. Cloudflare is known for being a gangsta cloud.

  4. Your blog Brian is a fasvinating window into this shady and increasingly risky world. Thank you and please keep up it coming. Watch your ‘back’ every step of the way.
    P.S. How soon before an energy utility is hit and a big chunk of the power grid goes dark?


#####EOF##### Insert Skimmer + Camera Cover PIN Stealer — Krebs on Security

10
Mar 19

Insert Skimmer + Camera Cover PIN Stealer

Very often the most clever component of your typical ATM skimming attack is the hidden pinhole camera used to record customers entering their PINs. These little video bandits can be hidden 100 different ways, but they’re frequently disguised as ATM security features — such as an extra PIN pad privacy cover, or an all-in-one skimmer over the green flashing card acceptance slot at the ATM.

And sometimes, the scammers just hijack the security camera built into the ATM itself.

Below is the hidden back-end of a skimmer found last month placed over top of the customer-facing security camera at a drive-up bank ATM in Hurst, Texas. The camera components (shown below in green and red) were angled toward the cash’s machine’s PIN pad to record victims entering their PINs. Wish I had a picture of this thing attached to the ATM.

This hidden camera was fixed to the underside of a fake lens cover for the skimmed ATM’s built-in security camera. Image: Hurst Police.

The clever PIN grabber was paired with an “insert skimmer,” a wafer-thin, usually metallic and battery powered skimmer made to be fitted straight into the mouth of the ATM’s card acceptance slot, so that the card skimmer cannot be seen from outside of the compromised ATM.

The insert skimmer, seen as inserted into the card acceptance device in the hacked ATM. Image: Hurst PD.

For reference, here’s a similar card acceptance slot, minus the skimmer.

An unaltered ATM card acceptance slot (without insert skimmer).

Police in Hurst, Texas released a photo taken from footage showing what appears to be a young woman affixing the camera skimmer to the drive-up ATM. They said she was driving a blue Ford Expedition with silver trim on the lower portion of the vehicle.

The skimmer crooks seem to realize that far fewer people are going to cover their hand when entering a PIN at drive-up ATMs. Often the machine is either too high or too low for the driver-side window, and covering the PIN pad to guard against hidden cameras can be a difficult reach for a lot of people.

Nevertheless, covering the PIN pad with a hand, wallet or purse while you enter the PIN is one of the easiest ways to block skimming attacks. The skimmer scammers don’t just want your bank card: They want your PIN so they can create an exact copy of the card and use it at another ATM to empty your checking or savings account.

So don’t be like the parade of people in these videos from hidden cameras at hacked ATMs who never once covered the PIN pad.

Further reading: Woman Caught on Video Installing Skimmer Outside Bank’s ATM in Hurst

Tags: ,

61 comments

  1. Man, I wish you put some red arrows on those pictures for dummies like me. I’m struggling to understand what’s what on those images.

  2. The Sunshine State

    Cool photo’s

    • One reason we decided to use cash for everything and go to the bank during business hours was because of photos like these. I still have a couple of cards, but almost never use them. Which reduces my exposure. Cash is still king and it allows some fun negotiation with larger purchases.

  3. I used gasbuddy to find the lowest price fuel along I-5 near Tacoma WA and found an independent fuel seller that was .10/gal less on fuel than anywhere else local. The on pump card readers were taped off with a note to come inside to pay. Once inside a sign at the POS read debit cards only and just after I finished the sale I happened to glance up and there was a security camera pointed directly down on the PIN pad. Whoops. I cancelled my card as I drove away. Lesson learned.

    • More than likely that was to catch people trying to put in an overlay onto the terminal to steal cards.
      I mean it’s possible the people running it were crooks, but more likely it was just security.

      Next time always cover your hand when you enter a pin and it won’t matter as much 🙂

    • And you called the cops and reported it, right? To catch the thieves and protect other customers who didn’t notice the camera?

    • Touchdown In Sight

      @ Ron M.. #GlassHalfFull but also kind of not is that there was a recent article about the Kroger grocery store chain doing something similar. It’s about credit card fees for credit versus debit card transactions.

      A few years ago, a local small town store told me they pay a much higher fee to credit card companies when customers use the credit option instead of debit. It looks like that was apparently a fact and is now becoming much more common knowledge thanks to one credit card possibly becoming increasingly greedy over the same.

      @ Brian, #ThankYou as always! You write so very cognitively friendly.

      I followed your 3D skimmer link there. Today’s digital cameras offer Wifi capability on regular occasion. I’ve had at least 2 OLDER secondhand cameras I bought that had that capability. Sorry, I can’t remember the make/model.

      That Samsung [chip]… digital cameras again maybe. A quick search of “samsung digital camera specs wii” landed the following without even visiting the actual website:

      “Wireless Connection. IEEE 802.11b/g/n, NFC (Near Field Communication)”

      That’s from personal fave CNet regarding the “Samsung Smart Camera WB350F”.

      You know… I’ve seen used Samsung cameras go for what felt like a little bit of a high price. You possibly have shed some light as to why if for some reason quality and capability don’t already put the question to rest.

      PS… I’ve been contemplating writing you to ask your opinion about something. I received a PDF file about the same time *YOU* wrote about that topic here. Mine.. I think *possibly* has something to do with….

      Child trafficking.

      At the very least, it’s about a (security affecting, maybe??) HIPAA violation that a doctor’s office should know is occurring…

      Except that…

      The doctor’s office, that DOES have a believable Internet presence, sent an email to a (fake) pseudonym of *mine*. The email author addressed that pseudonym by (fake) first name while presenting a brief but still somewhat involved scenario about a pediatrician’s office visit.

      Word up to same said email author: I only buy into hook, line, and sinker when it involves Red-tailed Snappers… and the occasional Barracuda or three *chomp!*

      PPS The mention about an online presence was to distinguish from the apparent fake… pharmacy that called the last Friday in 2018 to advise me that my drug order was there and that they’d be closing at 1:00pm that day.

      So far, I’ve not found the alleged pharmacy name online, even with a few creative twists that led nowhere. How often does THAT happen in this Internet crazed day and age, you know?

      This isn’t the first time for this, but it’s approximate the most creative so far.

      My impression was that the caller was notably tripping over his words. There appeared to be… fake… muzak playing in the background. My perception of that detail is certainly tainted by years of exposure to this ordeal, but I can’t shake my initial impression that the “muzak” was potentially generated… by a child’s toy.

      The PDF file, I haven’t opened it. I’m dealing with highly organized sexual predators. I’m just not up for their… ongoing garbage… just this sec should that PDF include predatory images instead of an alleged patient medical update 🙂

      Well, there’s that and that YOU *NEVER* OPEN *ANY* EMAIL FILE ATTACHMENTS WHATSOEVER when they arrive unsolicited from absolute and total strangers residing clear across on the other side of the country right over there…….

  4. I don’t understand why the ATM manufacturers make the slot big enough for a skimmer …. I mean people put their card into the slot after the skimmer is installed so that tells me there is way too much space in that slot.
    They need to add a detection device that throws a net on the perp if anything other than a plastic credit card is inserted into that slot ;-). Those devices are made with metal with electronics on it so that should set off alarms and a stun gun deployed. ATM makers you are welcome to modify my outrageous ideas to stop the madness!

    • Well they don’t have the auto deployed stun gun, but there are plenty of detection items for ATMs, all at added cost. Which we have them. Detects inserts that aren’t cards, vibration detection if someone drills/cuts into it, circuit monitoring. (among other methods) There is enough profit from ATMs to implement them all, if the owner chooses to.

  5. Sue the banks as there are several solutions to avoid this since 2012.
    If they don’t solve the problem, they are responsible!
    If at least they were replacing those which have been already hacked, because they are in the perfect places…

    See previous article
    https://krebsonsecurity.com/2012/09/a-handy-way-to-foil-atm-skimmer-scams/

    Search for ‘Diebold manufactures’ and just above it another answer ‘Roman Iakoubtchik’.

    • Customers aren’t responsible for ATM card fraud, as long as they check their bank statements and report discrepancies. Problem solved many years ago.

      • That does not solve the problem; it merely transfers the cost to the bank, which, in turn passes it along to ALL of their customers.

        • Actually….Banks do cost benefit analysis, it obviously costs more to implement all the security features, thus, why they choose to not do them. If they did implement them, and you state the costs would be passed along to customers, then we are actually saving money. Something I do not know, WHO is actually responsible? The ATM owner? Which may not be the issuing bank?

      • Watch yourself.. There is a big difference in the liability between a compromised DEBIT card and a compromised CREDIT card..

        First and foremost.. with DEBIT card fraud.. you money is gone until you can get it covered.. with CREDIT card fraud.. the charges are reversed immediately upon dispute…

        • Jim obviously needs a lesson on Reg E here in the US.

          • As you do in the practical matters of how things work in real life.

            Credit cards you aren’t responsible to pay fraud, cost burden is on the banks. You are never out any money, and don’t have to pay that part of bill.

            Debit cards the money is already gone from your account, and banks hate giving it back. They can make you do forms and paperwork and wait weeks to give back your money. Meanwhile your house payment is bouncing along with all your other bills. And you have to argue to get them to refund the bounced check fees, etc.

            Yes the laws protect both, but that doesn’t stop the money from being gone, and taking a while to get replaced, and possibly costing you money or credit dings in the meantime.

            • Who, in their right mind, has a debit card attached to their money accounts? That is possibly the least safe method, spend some time at CVS, another bank, and get an old fashioned, you have to put money in there, debit card. It only takes one bad apple, to steal from you, so, separate your apples from them. Keep your money safe for your use.

              • “Who, in their right mind, has a debit card attached to their money accounts?”

                Almost everyone.
                The ATM card says on it “DEBIT”
                It is linked, say, to a checking account.
                But most people do not turn off overdraft protection. So when the checking account gets emptied it is the turn of the account that is designated to cover overdrafts.

                My bank, actually a Credit Union, has a daily max. ATM withdrawal rate of $500, combined from all of your accounts.
                I learn from Brian to be safe:
                I have overdraft protection turned off. I have a password for my at-window or by phone transactions.
                When using an ATM I cover the pin pad so well that I sometimes really have to bend down to see the keys.

              • I have a debit card from my bank. With their phone app, I’m able to transfer money into the debit card. I always keep it at $50 tops.

                It has worked very very well for me. No fee from my bank for the card nor for the app use.

            • somguy, actually a bank cannot require you to fill out or complete forms. It is governed by Regulation E, which is the most consumer friendly regulation there is. You merely have to inform the bank. They have ten days to respond. They can grant you provisional credit, which gives them more time to investigate. However, if the fraud is true, then the overdraft charges are required to be reversed. Most banks that I know will immediately grant provisional credit to allow themselves more time to investigate.

        • Jim, I would have to disagree. While there are differences between Reg E and Reg Z by no means do funds get reversed instantly for all situations on a credit card. If the dollar amount is low…probably as it is going to be written off. Most institutions do not care about a $14.37 charge to Chipotle (clearly an example), however will take note on the amount of claims per account. A high dollar claim/dispute is likely not going to get reversed instantly. There actually might be some questions, investigators, police reports, and further research. This is how 1st party fraud exists in this realm by fictitious claims/disputes for egregious amounts on practically impossibly and/or super suspect situations which the card holder cannot explain and only brings more questions than answers.

          • @Jordan – The difference with a Credit Card fraud issue is that I only have to review my statement once a month. I review it, flag any transactions as fraud and submit the required online forms stating I’m not lying. Then when I schedule my monthly ebill payment, I first subtract the fraud total from my statement balance, and only pay the remaining portion. While the dispute is being processed, the charges are “on hold” and I’m not liable for them. The credit card company is out the money, not me, while things are getting settled.

            It is the opposite with a transaction tied to a checking account. I’m out the temporarily money while the process slowly winds its way.

            I’ve never been near my credit card limits, but I imagine that might be the only problem one might have is during the investigation of credit card fraud charges you might have that amount unavailable from your credit line.

            It’s really less of an issue these days as both my banking and credit cards are set to send me text and email alerts for transactions over $200. It’s amazing how fast this texts come through as well – often literally seconds after I’ve dipped my credit card and hit “yes/approve”.

          • You guys need a new bank – NFCU gives you the cash back instantly on debit fraud while they investigate. On credit fraud they take the charge off your bill instantly. You have to contact them but you should check your account every few days anyway.

    • Stephane, that’s a ridiculous comment. If all ATMs had all existing security measures installed, it would take about 60 days for a fraudster to figure out a way around them. Then what? And good luck trying to sue the bank. You’d have to prove willful blindness, or at best, neglect. And banks spend millions annually on anti fraud precautions at their ATMs, and can show it easier than you can show neglect.

  6. Maybe it’s time to have Multi-Factor Authentication for ATMs and do away with the stripe / PIN method.

    • I Want a Waffle

      I like y0ur thinking here, though if they do implement MFA at ATMs, my concern is they would have to be on some sort of network or Bluetooth — which means that is just another avenue of attack for attackers.

    • MFA, like something you have and something you know? Hummm… Maybe a physical card and a PIN?
      Troy.
      #

      • I see where you’re coming from, but technically the whole transaction is taking place at one machine, which is a single-point-of-failure, i.e., you are using the ‘something you have’ (card), inserting it into the machine, and then inputting the ‘something you know’ (PIN) into the same machine. I believe Patrick’s thought was something like this:

        1. User inserts card into the machine
        2. There is no PIN entered anymore
        3. The machine then sends a code to a device you have
        4. You verify the code on your device
        5. The payment goes through

        I think that’d be well and good, but if this were the case, there are still obvious flaws such as network connectivity. Those devices would then have to be on some network which is another added vulnerability. Heck, if they put that technology into all gas pumps, can you imagine the damage that could be done if ransomware or other malware entered into those machines now that they’d be connected to a network?

      • I see where you’re coming from, but technically the whole transaction is taking place at one machine, which is a single-point-of-failure, i.e., you are using the ‘something you have’ (card), inserting it into the machine, and then inputting the ‘something you know’ (PIN) into the same machine. I believe Patrick’s thought was something like this:

        1. User inserts card into the machine
        2. There is no PIN entered anymore
        3. The machine then sends a code to a device you have
        4. You verify the code on your device
        5. The payment goes through

        I think that’d be well and good, but if this were the case, there are still obvious flaws such as network connectivity. Those devices would then have to be on some network which is another added vulnerability. Heck, if they put that technology into all gas pumps, can you imagine the damage that could be done if ransomware or other malware entered into those machines now that they’d be connected to a network?

    • FWIW, Bank Of America supports Apple Pay at their ATMs. You still need to enter a PIN after tapping your phone (and authenticating the tap with a fingerprint), but that PIN won’t be useful to a thief if there’s no inserted card to skim.

    • Make it more difficult for thieves and they’ll just go back to old fashioned muggings outside the bank.

      ATM card cloning is good, because it’s easy and no one gets injured.

      When a bank is robbed during the day, staff know to not resist. Comply and it’s unlikely anyone gets hurt.

      Same for stores with shoplifting. Major retailers have policies disallowing physically interference with shoplifters to prevent injuries to staff, customers, and thieves.

      It’s much safer to let police do their job and insurance cover the loss.

      So you want to interfere with ATM card cloning? That’s only going to increase other crimes.

      • Your statements presume a fixed supply of criminals, whereby if one criminal path is blocked, they will use another criminal path. I don’t think that’s accurate. Skimmers and muggers have a very different set of “skills”.

        Also, you’re missing the risk/reward motivation. Skimming is low risk and high reward. Mugging is high risk an low reward. Also, if mugging someone with a concealed carry firearm, the risk includes the loss of your life. Skimming carries no such risk.

  7. That circuit board looked like a little camera board from a laptop. Easy to come by.

  8. Skimmers in gas pumps are pervasive at least in the eastern half of the USA – assume the pump you just used has a skimmer if you are east of the Mississippi. Gas pump consortium got themselves exempted from chip readers until 2020, so for at least another year gas pumps will be a criminals best friend. If your bank has an “app” like SecurLOCK, turn on Geo referencing so in person transactions only work where you/your phone is. And/or ask for a 2nd card with different number and only enable that card via the app for fuel then disable it again afterward. And, ask bank why they still have “chip fallback” enabled for EMV cards at all since that allows skimmed mag strip to be used for fraud.

  9. Our bank in CT changed the card insert method from shortest side in to the widest side in. Does that decrease the vulnerability to skimmers at all?

    We do have the same problem where it’s difficult to cover the pin when entering. The banks usually have a sign saying only drive-ups are allowed – no walking which I gather has to do with the individual banks insurance coverage. Thank you for the insightful articles.

  10. It is very difficult to cover the pad while typing the pin from many cars.

    I am no longer swiping my card to get the PIN prompt screen. I have been using my Samsung Pay App to get to the screen. It is much easier to reach from my car. I am sure there will come a day that this process will be vulnerable to some skimming too.

    • “It is very difficult to cover the pad while typing the pin from many cars. ”
      Get out of the car and use the ATM in the lobby/entrance/etc.
      That is what I do all the time.

  11. Rube Goldberg's Razor

    Smith and Wesson makes a blood skimmer that handily prevents these attacks.

  12. Hardest thing to sink into customers minds is that they have to cover their hand as they enter in thier pin. This alone would address most ot the pin fraud out there. Also don’t be fooled by ATMs with pin covers. I’ve seen them placing the pin under the covers making them even harder to spot.

  13. Park your car, and walk to the pedestrian ATM. Feels good and avoids the drive-thru.

    • People have become sooo lazy that they refuse to get out of their cars to go inside a Starbucks store. I live in a area where there are ridiculous lines blocking traffic because they all want to sit in their cars waiting in line for their coffee. They all drive huge SUVs pumping out CO2 while idolling.

  14. Alrighty, I think it’s about time we suggest feasible solutions to the skimmer attack on physical ATM hardware. I’m thinking it must be cheap af or it will never take. So, what’s stopping us from using software-based object recognition from ATM camera data… I’m thinking as objects/read skimmer/ is placed it can be detected with camera data fed to proper software..I mean it’s a thought…talk me off this cliff??

  15. While many skimmers are getting harder to detect I seen a video a few years ago that shows a person who used there phone and turned on the Bluetooth device and actually was one way of determining if a skimmer was present if the Bluetooth on the phone was trying to connect to the skimmer it would try to connect. Another way to protect yourself from this fraud is to check with your bank and see if they have any way to turn your debit and credit card information off and also has the ability to set buying limits on both cards. I have set my limit to 10.00 dollars on both cards when making a purchase with either one. Everytime I use either card I get an email alert from the bank on my phone within 30 seconds and no more than 1 minute. If something is going on you will know very quickly to take action and disable the card that has been compromised. Check with your bank and see if they have these features that you can setup for your debit card and credit card. I hope this information will help you!

  16. The most remarkable part of this story is that the skimmer lady didn’t know that she was being video taped.

    I can’t wait to hear her excuses when she’s apprehended.

  17. If you have a bank card with a chip — as we do in Canada — doesn’t that defeat the skimmer? Can a chipped card be cloned?

    • The chip can’t be cloned, no. A chipped card can still have its magnetic stripe skimmed, so it’s still possible to experience counterfeit card fraud if the crooks can find somewhere that still accepts the mag stripe without checking for the chip and the issuing bank still authorizes mag stripe transactions. I put controls in place at the bank where I work to decline mag stripe transactions, and we’ve had no counterfeit fraud for years now (we’re not US-based so this was practical for us). Seeing chip & PIN work as intended is glorious.

      • It is true, but if your cards (or the clones of your cards) do a transaction in countries like India, Indonesia or even USA where there are lots of terminals without chip support your chips controls won’t work. Chip capable terminals have to be enforced everywhere in order to be globally useful… Unless you completely unable your clients to do transations on those countries/terminals. Security versus service … a difficult decision.

    • Any ATM (or similar) that captures a card as part of the auth prompt is just as vulnerable to skimming in Canada as it is in the US.

      Any reader that doesn’t completely accept a card in theory should be fine.

      Personally, I mostly bank in person. When I insert my card into a card reader inside TD Canada Trust, it only goes in far enough for the chip to be read.

      When I was in Finland, there were actually two card readers at ATMs, yellow (magstripe) and blue (chip) [1]. That model ensured that chip users could avoid risking their magstripes being cloned.

      [1] https://www.tripadvisor.com/ShowTopic-g189896-i442-k5787631-Cards_with_magnetic_stripes-Finland.html

  18. I went to my local Safeway grocery store some months ago and was pleased to see security tape on the ATM terminals at each register. It was not holographic tape or stickers that i have seen at some gas stations.

    Within two months i noticed that the tape was broken across the device. Even though i was using a chip I felt a need to check (I pulled and tugged) to see if there was an overlay device. The cashier asked me what i was doing and i explained. The cashier had no idea about skimmers. I pointed out that the purpose of the security sticker was to identify if a skimmer was placed there. Again the cashier had no idea. I asked if store management made any effort to teach the cashiers to check the security sticker on the device at the beginning of shift. The answer was no.

    Kinda of defeated the usefulness of having and using the security stickers on the device to indicate any tampering. I looked at all the ATM devices as the cashier stations and they all had broken stickers.

    • Jean-Ralphio Saperstein

      That story legitimately annoyed me. Kudos to them for placing the security tape on the terminals, but shame on them for not educating the employees. That makes no sense to me. “Hello, I’m Dr. Dingbat, roll up your sleeve, I got a massive needle I’m going to shove in your arm.” What’s the sense of doing something if you’re not going to explain why you’re doing it?

      How hard is that to educate them? You have to figure, they have some sort of meeting with their teams, so tell the team leaders and they can relay it to all the employees. Literally takes less than 5 minutes. People wonder why users are often the weakest link in security — there’s a total lack of education or awareness.

  19. I sorta wanted to see what this thing looked like from the outside. How well does it present itself? These photos all show it from the guts side.

  20. So, we can get a pic of the criminal but we can’t get a pic of their license plates? C’mon!!!

  21. The circuit board in the second picture looks very much custom made, almost DIY. That’s interesting in itself as where is the talent coming from that makes the skimmers in the first place. Or it this something that you can purchase on the dark web?

  22. Notsofastmyfraud

    So I have seen the smaller deep insert skimmers, but picture number two I dont buy it. That card reader is inserted from the inside of the ATM. It is impossible to replace or even sauder any electronic components from the outside. The problem today is that banks want to sub their ATM servicing to third party companies at a lower cost to save money. Most of those companies hire inexperienced employees that can’t tell their left hand from their right. Yet the bank puts their trust on these companies to maintain ATM’s above their skill set safe and operational for customer use. That skimmer looks like inside scheme in Hurst TX.

  23. Many ATM’s now have high resolution screens.
    Why don’t they take advantage of these screens and have a picture of that ATM with what it should look like and a warning not to use it if anything in the picture looks different than the ATM being used.
    It *may* help.

  24. I say this every time. You can cover the pin pad all you want. The crooks still have your card data, and now instead of going to the ATM they are headed straight to Walmart to purchase gift cards or other high value merchandise.

  25. Is this sort of skimming possible at contactless terminals?

    In Australia, contactless is pervasive in retail. When withdrawing cash at an ATM I cover the pin pad but realised I never do at contactless terminals…

  26. I could definitely explain what is shown in these images considering I work for an ATM company.

    This particular insert skimmer is made of what appears to be some sort of black plastic/silicon material. I assume to help disguise it from being noticed if a customer were to squat down and look, like, “hey, what seems to be stuck in here?”

    So, the card reader is a dip reader. This is where it pulls the card in and clamps down to read the chip.

    The camera panel (with only seeing the rear side of it and shape) appears to be a black panel overlay that you would typically see on the top right part of a Diebold machine.

    I would love to see what this camera looked like on the machine, to see how really “well blended” it possibly was. Typically cameras are not that NICE and NEAT. Just easily looked past as unsuspected.

Leave a comment


#####EOF##### Peek Inside a Professional Carding Shop — Krebs on Security

04
Jun 14

Peek Inside a Professional Carding Shop

Over the past year, I’ve spent a great deal of time trolling a variety of underground stores that sell “dumps” — street slang for stolen credit card data that buyers can use to counterfeit new cards and go shopping in big-box stores for high-dollar merchandise that can be resold quickly for cash. By way of explaining this bizarro world, this post takes the reader on a tour of a rather exclusive and professional dumps shop that caters to professional thieves, high-volume buyers and organized crime gangs.

mcdumpalsjoinedThe subject of this post is “McDumpals,” a leading dumps shop that first went online in late April 2013.  Featuring the familiar golden arches and the bastardized logo, “i’m swipin’ it,”  the site’s mascot is a gangstered-up Ronald McDonald pointing a handgun at the viewer.

Nevermind that this shop is violating a ridiculous number of McDonald’s trademarks in one fell swoop: It’s currently selling cards stolen from data breaches at main street stores in nearly every U.S. state.

Like many other dumps shops, McDumpals recently began requiring potential new customers to pay a deposit (~$100) via Bitcoin before being allowed to view the goods for sale. Also typical of most card shops, this store’s home page features the latest news about new batches of stolen cards that have just been added, as well as price reductions on older batches of cards that are less reliable as instruments of fraud.

I’ve put together a slideshow (below) that steps through many of the updates that have been added to this shop since its inception. One big takeaway from this slideshow is that many shops are now categorizing their goods for sale by the state or region of the victim company.

This was a major innovation that we saw prominently on display in the card shop that was principally responsible for selling cards stolen in the Target and Sally Beauty retail breaches: In those cases, buyers were offered the ability to search for cards by the city, state and ZIP of the Target and Sally Beauty stores from which those cards were stolen. Experienced carders (as buyers are called) know that banks will often flag transactions as suspicious if they take place outside of the legitimate cardholder’s regular geographic purchasing patterns, and so carders tend to favor cards stolen from consumers who live nearby.

The slideshow may make more sense if readers familiarize themselves with a few terms and phrases that show up in the text:

GLOSSARY OF TERMS:

Base: An arbitrary name that a dumps shop assigns to a unique batch of cards stolen from a particular compromised merchant or a mix of merchants. Most often, bases are named after the state or region of the compromised merchant. Base names allow dumps shop owners to have a consistent naming convention when adding freshly stolen cards from a specific breached merchant. In addition, base names allow happy customers to have an easy way to come back to the shop and request more of the same cards; conversely, buyers who have little success “cashing out” cards from a particular base have a frame of reference with which to warn other potential buyers away from a specific batch of cards (a la “brown acid“).

BINs: Short for “Bank Identification Number,” this is the first six digits of any debit or credit credit cards, and it uniquely identifies the financial institution that issued the card. BINs are the primary method that card shops use to index wares for sale, and all buyers have their favorite BINs with which they’ve found success in the past. There are tens of thousands of BINs in use today, and few people legitimately employed in the banking industry have comprehensive BIN lists (which most banks consider proprietary). For that, you typically need to turn to the professional card shops, which track BIN usage quite closely.

Checker: A form of buyer’s insurance, this is an automated, optional service that dumps shop customers can use after purchasing cards to validate whether the cards they just bought are still active. Most advanced shops, including this one, have “moneyback” guarantees in place that will automatically refund the purchase price for any cards found to be invalid shortly after the cards are bought (usually a window of a few minutes up to a few hours), provided the customer pays the extra fee (usually 10-20 cents per card) to use the shop’s own checking service.

Discounted cards sold in "packs" or at wholesale or bulk prices.

Discounted cards sold in “packs” or at wholesale or bulk prices.

Dump: Refers to a string of data that is pulled (usually by malicious software that infects cash registers or point-of-sale devices inside compromised merchants) from the magnetic stripe on the back of cards. Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.

Packs: Large bundles of dumps (often from a variety of hacked merchants in a particular region) — sold at wholesale prices. As we can see from the screenshot above left, McDumpals sells dumps packs of more than 1,000 cards at a time. For example, in the screen shot above, the site is offering a pack of 1,245 cards stolen two months ago from stores in Massachusetts and Connecticut for the bargain price of USD $10,500.

First-hand base: A batch of cards stolen from a merchant breach in which the dumps shop proprietor himself played a key role. The multiple bases of some 40 million cards stolen in the Target breach and resold via rescator[dot]so is probably the biggest example I’ve seen of a first-hand base.

Reseller: Most dumps shops rely on multiple suppliers of stolen cards. Contrary to the conventional meaning of the word, these thieves are supplying cards that are not sold anywhere else; once a card is sold, it is removed from the marketplace, and any suppliers found to be double dipping are quickly banned from the dumps community. Rather, resellers are merely stealing the cards and then selling them to the dumps shop.

Valid rate: The dumps store’s best guess about the percentage of cards from a given base that will come back as valid versus canceled by the issuing bank. If a base is advertised at a 70 percent valid rate, customers can expect an average 3 out of every 10 cards they buy from that base to be worthless. Cards advertised at valid rates in excess of 90 percent typically demand the highest prices, and are a strong indicator of a breach that has only just been discovered by the breached merchant or some of the larger financial institutions. For more granular examples of how valid rates are closely tied to the price of stolen cards, see Fire Sale on Cards Stolen in Target Breach and Sally Beauty Hit By Credit Card Breach.

If the following slideshow is not visible, you may need to enable scripting on this page from knightlab.com, a Northwestern University joint initiative of Medill School of Journalism, Media, Integrated Marketing Communications and the Robert R. McCormick School of Engineering & Applied Science.

People often ask if I worry about shopping online. These days, I worry more about shopping in main street stores. McDumpals is just one dumps shop, and it adds many new bases each week. There are dozens of card shops just like this one in the underground (some more exclusive than others), all selling bases from unique, compromised merchants.

Tags: , , , , , , , , , , , , , ,

88 comments

  1. Sounds like someone wasn’t too pleased to have their site publicized.


#####EOF##### Crypto Mining Service Coinhive to Call it Quits — Krebs on Security

27
Feb 19

Crypto Mining Service Coinhive to Call it Quits

Roughly one year ago, KrebsOnSecurity published a lengthy investigation into the individuals behind Coinhive[.]com, a cryptocurrency mining service that has been heavily abused to force hacked Web sites to mine virtual currency. On Tuesday, Coinhive announced plans to pull the plug on the project early next month.

A message posted to the Coinhive blog on Tuesday, Feb. 26, 2019.

In March 2018, Coinhive was listed by many security firms as the top malicious threat to Internet users, thanks to the tendency for Coinhive’s computer code to be surreptitiously deployed on hacked Web sites to steal the computer processing power of its visitors’ devices.

Coinhive took a whopping 30 percent of the cut of all Monero currency mined by its code, and this presented something of a conflict of interest when it came to stopping the rampant abuse of its platform. At the time, Coinhive was only responding to abuse reports when contacted by a hacked site’s owner. Moreover, when it would respond, it did so by invalidating the cryptographic key tied to the abuse.

Trouble was, killing the key did nothing to stop Coinhive’s code from continuing to mine Monero on a hacked site. Once a key was invalidated, Coinhive would simply cut out the middleman and proceed to keep 100 percent of the cryptocurrency mined by sites tied to that account from then on.

In response to that investigation, Coinhive made structural changes to its platform to ensure it was no longer profiting from this shady practice.

Troy Mursch is chief research officer at Bad Packets LLC, a company that has closely chronicled a number of high-profile Web sites that were hacked and seeded with Coinhive mining code over the years. Mursch said that after those changes by Coinhive, the mining service became far less attractive to cybercriminals.

“After that, it was not exactly enticing for miscreants to use their platform,” Mursch said. “Most of those guys just took their business elsewhere to other mining pools that don’t charge anywhere near such high fees.”

As Coinhive noted in the statement about its closure, a severe and widespread drop in the value of most major crytpocurrencies weighed heavily on its decision. At the time of my March 2018 piece on Coinhive, Monero was trading at an all-time high of USD $342 per coin, according to charts maintained by coinmarketcap.com. Today, a single Monero is worth less than $50.

In the announcement about its pending closure, Coinhive said the mining service would cease to operate on March 8, 2019, but that users would still be able to access their earnings dashboards until the end of April. However, Coinhive noted that only those users who had earned above the company’s minimum payout threshold would be able to cash out their earnings.

Mursch said it is likely that a great many people using Coinhive — legitimately on their own sites or otherwise — are going to lose some money as a result. That’s because Coinhive’s minimum payout is .02 Monero, which equals roughly USD $1.00.

“That means Coinhive is going to keep all the virtually currency from user accounts that have mined something below that threshold,” he said. “Maybe that’s just a few dollars or a few pennies here or there, but that’s kind of been their business model all along. They have made a lot of money through their platform.”

KrebsOnSecurity’s March 2018 Coinhive story traced the origins of the mining service back to Dominic Szablewski, a programmer who founded the German-language image board pr0gramm[.]com (not safe for work). The story noted that Coinhive began as a money-making experiment that was first debuted on the pr0gramm Web site.

The Coinhive story prompted an unusual fundraising campaign from the pr0gramm[.]com user community, which expressed alarm over the publication of details related to the service’s founders (even though all of the details included in that piece were drawn from publicly-searchable records). In an expression of solidarity to protest that publication, the pr0gramm board members collectively donated hundreds of thousands of euros to various charities that support curing cancer (Krebs is translated in German to “cancer” or “crab.”)

After that piece ran, Coinhive added to its Web site the contact information for Badges2Go UG, a limited liability company established in 2017 and headed by a Sylvia Klein from Frankfurt who is also head of an entity called Blockchain Future. Klein did not respond to requests for comment.

Tags: , , , , , ,

14 comments

  1. Wow, good news for a change!

    Maybe the internet will be just a little bit cleaner without a trash site like that.

  2. The Sunshine State

    I just read about this on bleepingcomputers(.)com

  3. And I still like that protest by raising money for charities.

  4. The fact that they can’t sustain a business now that criminals have less use for it, should make it pretty obvious that Coinhive was always intended as a criminal enterprise.

    Rather than adjust their fees and try to expand their customer base, they give up a pretty simple profit stream?

    They don’t sell the company to a rival?

    This reeks of Mt. Gox and other crypto scams, where owners take the money and flee.

    I predict KOS will be writing about their indictments in a few months.

    • Really, why is that? There are other crypto businesses shutting down because of crypto winter. Based on your logic, any business that closes because of financial difficulty is a criminal enterprise?

      • Purposely misunderstanding is fun.

      • Any business that can’t survive after criminals leave its customer base is not legitimate. It was either intended to be a criminal enterprise from the start, or amazingly naive.

        And they don’t seem naive.

  5. I’m thinking they’ll be back in a different form when they can figure out how to get past the hurdle of the major drop in recent cryptocurrency values, i.e. tweak the scam just enough to bring v2.0 to market.

    • I don’t know why you call it a scam. It was a legitimate business model although people used the service on machines that did not opt-in. The code was already out there to use the non-opt in model.

  6. There’s a similar service called jsecoin that runs off javascript but uses very little CPU resources. jsecoin is designed better and can be used by webmasters that may want something to help cover costs. And this one, the visit has to opt-in.

  7. It’s a big relief. Coinhive made the mining bit easy for the script kiddies.

  8. Who cares about this whole talk? May be we can rise with CoinIMP.
    It’s not the end anyway! I’ll continue trying out my chances right


#####EOF##### Cards Stolen in Target Breach Flood Underground Markets — Krebs on Security

20
Dec 13

Cards Stolen in Target Breach Flood Underground Markets

Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.

targetgoboom

Prior to breaking the story of the Target breach on Wednesday, Dec. 18, I spoke with a fraud analyst at a major bank who said his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts from a well-known “card shop” — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.

When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.

On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15. Not long after that announcement, I pinged a source at a small community bank in New England to see whether his institution had been notified by Visa or MasterCard about specific cards that were potentially compromised in the Target breach.

This institution has issued a grand total of more than 120,000 debit and credit cards to its customers, but my source told me the tiny bank had not yet heard anything from the card associations about specific cards that might have been compromised as a result of the Target breach. My source was anxious to determine how many of the bank’s cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers. The bank wasn’t exactly chomping at the bit to re-issue the cards; that process costs around $3 to $5 per card, but more importantly it didn’t want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.

On the other hand, this bank had identified nearly 6,000 customer cards — almost 5 percent of all cards issued to customers — that had been used at Target stores nationwide during the breach window described by the retailer.

“Nobody has notified us,” my source said. “Law enforcement hasn’t said anything, our statewide banking associations haven’t sent anything out…nothing. Our senior legal counsel today was asking me if we have positive confirmation from the card associations about affected cards, but so far we haven’t gotten anything.”

When I mentioned that a big bank I’d spoken with had found a 100 percent overlap with the Target breach window after purchasing its available cards off a particular black market card shop called rescator[dot]la, my source at the small bank asked would I be willing to advise his fraud team on how to do the same?

CARD SHOPPING

Ultimately, I agreed to help in exchange for permission to write about the bank’s experience without actually naming the institution. The first step in finding any of the bank’s cards for sale was to browse the card shop’s remarkably efficient and customer-friendly Web site and search for the bank’s “BINs”; the Bank Identification Number is merely the first six digits of a debit or credit card, and each bank has its own unique BIN or multiple BINs.

According to the "base" name, this "Dumps" shop sells only cards stolen in the Target breach.

According to the “base” name for all stolen cards sold at this card shop, the proprietor sells only cards stolen in the Target breach.

A quick search on the card shop for the bank’s BINs revealed nearly 100 of its customers’s cards for sale, a mix of MasterCard dumps ranging in price from $26.60 to $44.80 apiece. As one can imagine, this store doesn’t let customers pay for purchases with credit cards; rather, customers can “add money” to their accounts using a variety of irreversible payment mechanisms, including virtual currencies like Bitcoin, Litecoin, WebMoney and PerfectMoney, as well as the more traditional wire transfers via Western Union and MoneyGram.

With my source’s newly registered account funded via wire transfer to the tune of USD $450, it was time to go shopping. My source wasn’t prepared to buy up all of the available cards that match his institution’s BINs, so he opted to start with a batch of 20 or so of the more recently-issued cards for sale.

Like other card shops, this store allows customers to search for available cards using a number of qualifications, including BIN; dozens of card types (MasterCard, Visa, et. al.); expiration date; track type; country; and the name of the financial institution that issued the card.

A graphic advertisement for stolen cards sold under the "Tortuga" base.

A graphic advertisement for stolen cards sold under the “Tortuga” base.

A key feature of this particular dumps shop is that each card is assigned to a particular “base.” This term is underground slang that refers to an arbitrary code word chosen to describe all of the cards stolen from a specific merchant. In this case, my source at the big bank had said all of the cards his team purchased from this card shop that matched Target’s N0v. 27 – Dec. 15 breach window bore the base name Tortuga, which is Spanish for “tortoise” or “turtle.”

Indeed, shortly after the Target breach began, the proprietor of this card shop — a miscreant nicknamed “Rescator” and a key figure on a Russian-language cybercrime forum known as “Lampeduza” — was advertising a brand new base of one million cards, called Tortuga.

Rescator even created a graphical logo in the Lampeduza forum’s typeface and style, advertising “valid 100% rate,” and offering a money-back guarantee on any cards from this “fresh” base that were found to have been canceled by the card issuer immediately after purchase. In addition, sometime in December, this shop ceased selling cards from other bases aside from those from the Tortuga base. As the month wore on, new Tortuga bases would be added to shop, with each base incrementing by one with almost every passing day (e.g., Tortuga1, Tortuga2, Tortuga3, etc.).

Another fascinating feature of this card shop is that it appears to include the ZIP code and city of the store from which the cards were stolen. One fraud expert I spoke with who asked to remain anonymous said this information is included to help fraudsters purchasing the dumps make same-state purchases, thus avoiding any knee-jerk fraud defenses in which a financial institution might block transactions out-of-state from a known compromised card.

The New England bank decided to purchase 20 of its own cards from this shop, cards from Tortuga bases 6-9, and Tortuga 14 and 15. The store’s “shopping cart” offers the ability to check the validity of each purchased card. Any cards that are checked and found to be invalid automatically get refunded. A check of the cards revealed that just one of the 20 had already been canceled.

The bank quickly ran a fraud and common point-of-purchase analyses on each of the 19 remaining cards. Sure enough, the bank’s database showed that all had been used by customers to make purchases at Target stores around the country between Nov. 29 and Dec. 15.

“Some of these already have confirmed fraud on them, and a few of them were actually just issued recently and have only been used at Target,” my source told me. Incredibly, a number of the cards were flagged for fraud after they were used to make unauthorized purchases at big box retailers, including — wait for it — Target. My source explained that crooks often use stolen dumps to purchase high-priced items such as Xbox consoles and high-dollar amount gift cards, goods that can be fenced, auctioned or otherwise offloaded quickly and easily for cash.

My source said his employer isn’t yet sure which course of action it will take, but that it’s likely the bank will re-issue some or all of the 5,300+ cards affected by the Target breach — most likely sometime after Dec. 25.

The bank is unconcerned that its cards compromised in the Target breach might be used for online shopping fraud because the stolen data does not include the CVV2 — the three digit security code printed on the backs of customer cards. Most online merchants require customers to supply the CVV2 as proof that they posses the legitimate, physical card for the corresponding account that is being used to fund the online purchase.

Update, 5:20 p.m. ET: In a message to consumers, Target CEO Gregg Steinhafel said Target would be offering free credit monitoring for affected customers. Not sure how credit monitoring helps with this specific breach, but at any rate here’s the rest of his statement:

“Yesterday we shared that there was unauthorized access to payment card data at our U.S. stores. The issue has been identified and eliminated. We recognize this has been confusing and disruptive during an already busy holiday season. Our guests’ trust is our top priority at Target and we are committed to making this right.

We want our guests to understand that just because they shopped at Target during the impacted time frame, it doesn’t mean they are victims of fraud. In fact, in other similar situations, there are typically low levels of actual fraud. Most importantly, we want to reassure guests that they will not be held financially responsible for any credit and debit card fraud. And to provide guests with extra assurance, we will be offering free credit monitoring services. We will be in touch with those impacted by this issue soon on how and where to access the service.

We understand it’s been difficult for some guests to reach us via our website and call center. We apologize and want you to understand that we are experiencing unprecedented call volume. Our Target teams are working continuously to build capacity and meet our guests’ needs.

We take this crime seriously. It was a crime against Target, our team members, and most importantly, our guests. We’re in this together, and in that spirit, we are extending a 10% discount – the same amount our team members receive – to guests who shop in U.S. stores on Dec. 21 and 22. Again, we recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores.”

[EPSB]

Have you seen:

Non-US Cards Used At Target Fetch Premium”…An underground service that is selling millions of credit and debit card accounts stolen in a recent data breach at retail giant Target has stocked its virtual shelves with a new product: Hundreds of thousands of cards issued by non-U.S. banks that were used at Target across the United States during the retailer’s 19-day data breach. It’s not clear how quickly the non-U.S. cards are selling, but they seem to be fetching a much higher price than those issued by U.S. banks.
[/EPSB]

Tags: , , , , , , , , , , , , , , , , ,

445 comments

  1. There is an excellent book on this topic written by Kevin Poulsen entitled Kingpin. It’s fascinating, eye-opening stuff. The genesis of the book can be found in this paper:

    http://thenewtech.tv/tech-life/cybercrime-paper-kingpin-by-kevin-poulsen

  2. So if one bought alcohol with their card at Target during this time period did the hackers have access to their Drivers License information as well? Just curious…

    • How would the Hackers be able to get hold of anyone’s Drivers License information? I don’t think Banks put that information on the Magnetic Strip, that’s on the back of Credit/Debit Card, but I’m not really sure.

      • It is common practice at Target for the cashiers to request a drivers license from anyone purchasing alcohol. They then scan the barcode on the license (what do they do with the data? Who knows?). If you ask that they not scan, and instead merely visually confirm your age, they will do so, but it requires a supervisor override (similar to when a cashier wants to void a purchase). This means the customer has to wait, etc. So, the net result is that Target scans a shitload of licenses at their checkout counters. No clue how or whether the data are stored, but this is undoubtedly what prompted the question.

        • Never knew you could ask for a visual verification. After this clusterf&ck, that’s all they’re getting from me going forward.

        • Oh! I don’t purchase any Alcoholic Beverages, from Target…I did, however, purchase some Vicks “Day Care” for my Daughter, on one of my visits to Target. That requires showing ID.

          The Cashier asked for my Driver’s License…I handed it to her…She looked at it, and handed it back, to me. I don’t remember her scanning my Driver’s License, though! Maybe they only scan it, if you purchase Alcoholic Beverages…I don’t know, though. :o/

    • Sorry to assume everybody knew about this Target practice during routine alcohol purchases. Yes thats right they ask you to scan your ID Card. Since Target has been fooled I’m wondering what happens to this data. Is it encrypted? Where is it stored? I think they should explain to consumers how they keep it safe forever or stop the practice. I no longer let them swipe it, but, many do. Anybody know how long or any details about this process? They aren’t the only retailers who do this. They are just more anal about it than others. Ask your local retail employees and they don’t have a clue. You just get a “its store policy” response.

  3. “…The bank is unconcerned that its cards compromised in the Target breach might be used for online shopping fraud because the stolen data does not include the CVV2…”

    According to [semi-private] talk given by a member of the FBI’s cybercrime unit, the CVV2 is from a formula derived from the CC number. You have the number and the formula, you get generate the CVV2. I wouldn’t bet on the criminals not having the formula.

    • They need to triple DES secret too! Not as easy as one might expect. If the card had been a chip card and the USA merchants had invested in EMV enabled terminals offering real security this all would be interesting but not troublesome.

    • it is not about the CC nr but about the CCV2, isn’t it? what do you think?

  4. I’ve been trying for days to get Target to cancel my Target Red card (Debit). They refused on the phone because they said I had to have used the card for an online purchase. (I didn’t). I e mailed Target Headquarters saying cancel my card, giving them the card number. I received an e mail back saying “There is no immediate need to cancel your REDcard or any other credit or debit cards” even though I specifically told them to cancel immediately. My bank has reported suspicious activity pertaining to my card. Is there something further I can do short of withdrawing everything from my bank and having all automatic deposits changed to another bank account?

    • Pauline,
      Just call them back and say that you have a better card with lower rates and that you would appreciate if they could cancel out the card.
      While they have a point in that your card may not have been part of the breach it is fully your right to cancel when you want.

      I would push the issue and if they do not honor it I would kinda say that you will take legal action if required as you no longer want the card.

      If it persists after that call your attorney general and they will take care of it for you.

      F@ntum

  5. Can a regular person log onto one of these websites and check to see if their own card numbers are being sold?

    • if you registar you could its rescator.la

    • Remember if you log on to a site that sells stolen data a) the FBI may be watching and you may get wrapped up in the hoopla, and B) If they are the unscrupulous type and sell peoples cards do you think it would be easy for them to also monitor who connects and inject malware into the systems that are connecting??

      Just a thought, I would make sure you use a public wifi connection not your house and also use a computer that is ready for the scrap heap then pull the hard disk out and junk it…DONT use the computer you surf the web for on a day to day or you may get something you didnt ask for.

      -F@

      • I thought about this after I posted the question. Decided not to go to the website. Just very frustrated that the banks and Target aren’t trying to let people know how this happened and what exactly did they grab….

        • It is not the banks that can tell you how this happened, it would be all TARGET. It is only the banks who lose in the situation because at the end of the day, the banks will refund any fraudulents funds used out of consumers accounts, pay to reissue the cards, and man hours used.

          • I don’t believe that the banks will truly lose. When a fraudulent purchase is made the banks deduct the transaction directly from the merchant that made the purchase. The merchant loses the product and the profit. Then has to fight to prove they did their best and followed verification protocol. Usually if the merchant wins the customer loses, not the bank. Maybe in this instance the banks will absorb some of the loss, but somehow I doubt it.

          • Actually most major banks have a credit card fraud department that have real time access to fraud trends world wide. They can pin point the common point of compromise and enable protocols that cuts off card use in specific locations. The banks work hand in hand with Visa and Mastercard. There are several web based restricted access sites that they share infomation and discuss where fraudlent card activity is occurring.

      • Use Tor to connect to it for anonymity. That said, the site currently does not respond…..

  6. I guess this may put damper on the new product COIN (onlycoin.com) was working on.

    I actually had one of those “shut up and take my money moments”. Problem is, there isn’t a chip on their current offerings – yet.

    After this breech, I imagine we’re going to see chip cards coming out faster now.

  7. The crime is not victimless, it is the bank that suffers the fraud losses and in turn the consumer because the bank has to sometimes increase fees to absorb some of those costs.

  8. Just a thought; sign up for SMS or e-mail alerts. Virtually all major card issuers have this functionality. If you are reading AT you probably have e-mail, if not an SMS (text) capability. Alternately, many will ring your phone(s) with an account alert. My AMEX card responds to purchases over a selected amount so rapidly that it often comes in as I am signing the chit. There is also a ‘Card Not Present’ alert. Chase will also leave me a voicemail if I am out of range or on an aircraft etc. Do this NOW. Wells Fargo sends an update on all account activity about 3:00 AM every day there is a change if you sign up. This can include autopay, checks cashed and so on.

    • Both of my Chase Debit Cards are signed up for “Alerts”. If either of them has any suspicious activities, or has an ATM withdrawal or Purchase over my Daily limit of $250.00, for each, I automatically get a Text message, from Chase, letting me know that the Card, in question, is over my $250.00 Daily limit.

      You should also check with your Credit Card Company, and your Bank, to see what your Daily Spending/ATM limit is. This is the second time the Credit/Debit Card, for this Chase Account has been Compromised. Last time it was Stolen, whoever got hold of it, spent almost $4000.00 before it was discovered. (Chase did replace all the Money, back into my Account, though.)

      When I went to my Chase Bank, to get a temporary Card, I asked them what my Daily Spending/ATM Daily limit was, they said, “$3000.00, for both”! I was absolutely floored!! I never set the Daily Limits that high…Chase did! I immediately had them lower it to $250.00! So, make sure you know what your Daily Spending/ATM limit is!

  9. Signing your card “check ID” may only help in the case your card is lost or stolen. In the circumstance of a fraudulent card manufactured using your card information, it will not be your true card present and there will be no such note to “check ID”. It’s a well intentioned action that offers no deterrent in fraudulent card circumstances.

  10. None of the “see ID” on the back of your card works if the criminals are using a self checkout. Even if the cashiers go look to verify ID, the name and the 16 digits on the front of the card can be different than the magnetic stripe from which the purchase is made. The USPS is the only place that I have experienced a cashier entering in the last four digits from the FRONT of the card that must confrim what is swiped off the magnetic stripe.

    These criminals tend to buy gift cards that they unload as quickly as they can or buy high priced items to sell cheap for cash. WE ALL PAY FOR THIS eventually regardless of the EMV system that should be in place.

  11. The “rescator.la” is now changed to “rescator.su”…
    .la is no longer responding , they have changed the domain.

  12. It’s “rescator.so” not “rescator.su”….it was a typo in my previous post..

  13. Wow. I went to that website but left quickly. I just wanted to see if it was real. Hope the fbi dont knock on my door . Wonder how do they get away with it.

  14. What Angel wrote may sound unbelieveable but it’s true. A similar thing happened to me and I showed it to my lawyer. He said that they had no grounds to charge me late fees on a credit card that I never used. His advise was to ignore it which I did. However, it’s been about 10 years now and every 6 months or so I get more made up bills for a settlement for something I never owed in the first place. They also called me and said they had a wrong address just like Angel wrote. I also never received a credit card by mail. My only mistake was to deal with a company that tries to scam consumers. I wonder how many people were scared into paying Target illegal stolen money. This may sound crazy but it’s the complete 100% truth.

  15. When I originally commented I clicked the -Notify me when new feedback are added- checkbox and now each time a comment is added I get four emails with the same comment. Is there any manner you’ll be able to take away me from that service? Thanks!

  16. Johann Consumeres

    Noyification:
    Response time – SMS, call, e-mail etc. varies widely by provider. My AMEX threshold is set at USD 50.00, which means that 80% of my transactions elicit a response. Using Sprint SMS, generally I get a text before a waiter can get the chit back for signature. Chase Visa takes about half an hour max to get a phone call. WFB sends an e-mail nightly with all transactions.

    One attempt with a stolen AMEX number in a jewelry store resulted in a decline, not as good as a bust, but good. We called AMEX immediately and they did something.

    The other thing is when you have a card you need to ditch, don’t argue, report it stolen and fill out any kind of report you have to. People who will not cancel a card immediately upon request are not being straightforward which removes your obligation to be straightforward with them. You do not have to concoct a story. “I can’t find my card and I think it may be stolen. I was at Far Niente and when I got home I didn’t find it.” Document the call, ask for a name and a replacement card even if you never activate it, then shred the original. My soon-to-be ex was arrested while trying to withdraw $5K with a card I reported ‘missing’ the day before. Not charged but did not get the $pondulies either.

  17. Just issue a free 90 day fraud alert to prevent identity theft.
    Therefore causing the thief will find a different victim.
    https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAlert.jsp

  18. I was just notified last week my card was breached. Now I’m having a new one issued, all because the one time I shop at target. I live in Holland Michigan and my target is just down the road. They said that there helping people who have a card trough target but what about the people who don’t . My god what is wrong with people I don’t have a lot of money to began with but to take the little I do have those people should be put away for the rest of their life.


#####EOF##### Alleged Child Porn Lord Faces US Extradition — Krebs on Security

22
Mar 19

Alleged Child Porn Lord Faces US Extradition

In 2013, the FBI exploited a zero-day vulnerability in Firefox to seize control over a Dark Web network of child pornography sites. The alleged owner of that ring – 33-year-old Freedom Hosting operator Eric Eoin Marques – was arrested in Ireland later that year on a U.S. warrant and has been in custody ever since. This week, Ireland’s Supreme Court cleared the way for Marques to be extradited to the United States.

Eric Eoin Marques. Photo: Irishtimes.com

The FBI has called Marques the world’s largest facilitator of child porn. He is wanted on four charges linked to hidden child porn sites like “Lolita City” and “PedoEmpire,” which the government says were extremely violent, graphic and depicting the rape and torture of pre-pubescent children. Investigators allege that sites on Freedom Hosting had thousands of customers, and earned Marques more than $1.5 million.

For years Freedom Hosting had developed a reputation as a safe haven for hosting child porn. Marques allegedly operated Freedom Hosting as a turnkey solution for Web sites that hide their true location using Tor, an online anonymity tool.

The sites could only be accessed using the Tor Browser Bundle, which is built on the Firefox Web browser. On Aug. 4, 2013, U.S. federal agents exploited a previously unknown vulnerability in Firefox version 17 that allowed them to identify the true Internet addresses and computer names of people using Tor Browser to visit the child porn sites at Freedom Hosting.

Irish public media service RTE reported in 2013 that Marques briefly regained access to one of his hosting servers even after the FBI had seized control over it and changed the password, briefly locking the feds out of the system.

As Wired.com observed at the time, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”

Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. FBI investigators told the courts they feared he would try to destroy evidence and/or flee the country. FBI agents testified that Marques had made inquiries about how to get a visa and entry into Russia and set up residence and citizenship there.

“My suspicion is he was trying to look for a place to reside to make it the most difficult to be extradited to the US,” FBI Special Agent Brooke Donahue reportedly told an Irish court in 2013.

Even before the FBI testified in court about its actions, clues began to emerge that the Firefox exploit used to record the true Internet address of Freedom Hosting visitors was developed specifically for U.S. federal investigators. In an analysis posted on Aug. 4, reverse engineer Vlad Tsrklevich concluded that because the payload of the Firefox exploit didn’t download or execute any secondary backdoor or commands “it’s very likely that this is being operated by an [law enforcement agency] and not by blackhats.”

According to The Irish Times, in a few days Marques is likely to be escorted from Cloverhill Prison to Dublin Airport where he will be put on a US-bound flight and handcuffed to a waiting US marshal. If convicted of all four charges, he faces life in prison (3o years for each count).

Tags: , , , , , , , , , ,

91 comments

  1. With any luck he’ll end up in a prison with crappy security and a population that knows who he is and what he did.

  2. That is one sick puppy

  3. I think that for once, the comments calling for something bad to happen to this individual might be justified.

  4. Thank you for this update. Let’s get this case going.

  5. For those of you endorsing violence in prison against this invidual, just think about what you are accepting. Have you really considered that you, your kids, or your friends could also possibly end up in the same prison system where it is acceptable or condoned for prisoners to be assaulted?

    • Well, if they were doing this to children, then YES!

      • Well then why dont we just change the laws and have the courts sentence them to physical torture and rape? The price people pay for crimes committed should be the price of the sentence prescribed by the courts, not vigilante justice. If you actually think that people convicted of crimes should be tortured and beaten up as part of their punishment, then pass laws that sentence them to that. It is not the job of convicts, prison guards or police officers to dole out punishment. The punishment is for the courts to decide, and if that not good enough, then change the laws.

    • If any of my relatives do what this guy did, then my relatives would get what they deserve.

      • Valarie Crockett

        And will you not be just as bad as your relative and deserve punishment for your wrong doings Maybe s councilor could help explain why people look at porn in the first place. Some people need help not to turn your check the other way.

    • Yeeahhh normally I’d agree with you, but not this time.

    • Sarah Everidge

      To condone violence against others as a solution is never going to work

      • Violence tends to cause more violence so even if it should technically solve a problem in most of the cases it still isn’t wise to use violence. If you are categorically against violence I respect you and if society treats even a monster like a human being I am proud about that. But in case of child pornography if violence happened against someone who did it or who profited from it I wouldn’t be unhappy if society collectively turned around and allowed someone punish the ones who ruined countless lives that just had begun for them.

        • This days we don’t really know who are those criminals. If they have a background activity of doing something or not. Some of them are really know how to hide from authority and it is sad that our children might be a victim. I just found a website that can search your name online if you have dome something illegal in the past. It has free back ground checks here is the link https://www.checkpeople.com/background-check

    • if anyone close to me, no matter the relation, did this, and i found out about it. they would be lucky to survive long enough to go to jail. this is the most one of the most sickening things imaginable. absolutely no sympathy for these vomit inducing scumbags.

    • Have you considered if the victims were your kids? Anyone who does this to children, family or not shouldn’t receive any compassion. This is absolutely unacceptable, and if a family member did this to any children, I would personally impose physical discomfort on them and assist law enforcement as needed to ensure they stay locked up behind bars. So sickening!

  6. Aside from the obvious outrage over this sleazy individual and his “line of business”, I am somewhat disturbed over Firefox having such backdoor! Did anyone else notice that “little” nuance?

    As much as I like the fact that it helped FBI to catch this guy, I am also appalled that it will help assist “strongmen” in Russia, Turkey, China, Iran, Venezuela to go after political opposition and dissidents. That should not be allowed, Mozilla foundation!

    • It was a zero-day vulnerability that had been patched by the time the story broke (I think it was even patched in the latest Tor Browser during the investigation, but not everybody had updated) and required JavaScript to be enabled (a bad security practice that I do not know why the Tor Project engages in by default).

      • Technically recent copies of Tor Browser ship with noscript enabled in whitelist mode where all scripts are disabled by default and must be explicitly enabled one by one. Most modern websites are broken with javascript disabled which is why the option to enable it is included instead of a blanket enable/disable option (which would, arguably, be far worse than the finer toothed noscript option). Not sure about the timeline, noscript may have been started to be included in response to this exploit.

  7. I’m more than a little confused on the technology here. Was this a website on a traditional server that somehow shows up as an onion website?

    • It existed on the Internet but the website could not be accessed via a usual Internet address (“clearnet”) but only via an overlay network called Tor; it *was* possible to administer it via its IP address (not over the Web, but over other protocols like SSH), but things like vhosts can be set to disallow Web access without using the proper hostname, and it is not possible to get an IP address from a .onion domain (hidden-service name).

  8. The Sunshine State

    One of the worst federal charges that you can get nailed with is “Child Porn” Their is absolutely no defense if the fed’s do a hard drive forensic and find illegal images ” stick a fork in you , you are done !”

  9. Dear FBI, your miserable attempts to track us down and arrest us will be rendered hopeless as Internet and money becomes more and more decentralized, more and more anonymous.
    I will devote the rest of my life to fighting for the freedom of countless individuals who wish for only one thing in their lives – privacy and liberty.
    Just who do you think you are anyway to sit there in your rotten departments of (in)justice and make plans on how to arrest citizens for browsing the internet?

    We the freedom fighters will never let you seize our freedoms and individual liberties.

    You can make exploits, we will make security systems.
    You can keep tracking us, we will keep anonymizing ourselves.

    Encryption is on our side.
    Human will is on our side.
    Liberty is on our side.
    We will be victorious.

    • So… I guess prepubescent children don’t deserve any of the freedom you claim to be fighting for.

    • Anubis = the Egyptian god of mummification and the afterlife as well as the patron god of lost souls and the helpless.

      Apparently this wannabe freedom fighter is focused on the lost souls versus the helpless.

      In any case he’s a troll.

    • “We will be victorious.”

      No, you won’t.

    • Mighty Anonamouse

      Dear TORTURE OF CHILDREN, your miserable attempts to ESCAPE us – will be rendered hopeless as Internet and money becomes more and more decentralized, more and more anonymous, MORE PEOPLE WILL GO DEEP TO GET YOU.
      I will devote the rest of my life to fighting for the freedom of countless individuals who wish for only one thing in their lives – privacy and liberty.
      Just who do you think you are anyway to sit there in your rotten CAVE of injustice and make plans on how to TORTURE CHILDREN for FUN?

      We the freedom fighters will never let you seize our CHILDRENS freedoms and individual liberties.

      You can HIDE IN exploits, we will make security systems.
      You can keep HIDING, we will keep FINDING YOU.

      TIME is on our side.
      Human will is on our side.
      Liberty is on our side.
      We will be victorious.

    • “… countless individuals who wish for only one thing in their lives – privacy and liberty.”

      That’s two things.

    • You forgot about the most powerful advocate of children. JESUS CHRIST LORD.OF LORDS and KINGOF KINGS.

    • You are an IDIOT!
      Your stupid liberty bell argument has no merit. You have no common sense, I take it you are one delusional mind. And can you tell me just what in hells name you do on the internet that has you thinking your some freedom fighter of privacy! Unfortunately the world is a sick sick place and those evil people took our privilege of privacy online away. These are innocent children and have more of a right then your internet privacy to be safe! So suck it up buttercup. You are being watch get use to it, so pick the right fight to fight! Your head is twisted and you ain’t Superman and no you can’t fly!!!

  10. Harry Johnston

    So far as I can tell, the alleged crimes took place while the accused was in Ireland. Why is he being extradited to the US?

    • The story linked at the bottom of the piece goes into that question in detail.

    • Short answer: The FBI had the evidence against him. They have much more credibility in US courts. Irish prosecutors declined to charge him so the courts would send him to the US where he’s *much* more likely to be convicted.

    • ” Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. ”

      US citizenship means he is subject to all US laws, no matter where he is.

  11. The real porn lords are the elite like the Rothschilds, Rockefellers and Jesuits. This is just a fall guy that provides them with “throwaway” children they eat after sodomizing and drinking their blood to stay young. When it doesn’t work anymore they get a replacement body. The secret tech is very close to what we see in science-fiction which is really non-fiction. Truth is stranger than fiction. They lie about everything else. Why not that too?

  12. “Government says…”
    “Investigators allege…”

    What does the evidence show? What is the defense saying?

    It’s all well and good to report on convictions and the legal process, but what is the public interest being served by repeating salacious allegations from government thugs or name-calling the defendant for a headline?

    Btw, calling child abuse imagery “porn” diminishes its seriousness. The legitimate porn industry helped build the Internet (1). Real porn is gross, but harmless. This crap, however, is a symptom of despicable abuse, and should be called as such: recorded images of child abuse.

    That said, this case is nonsense. Even if the guy did everything alleged, it wasn’t in the US and he wasn’t in the US. The search warrants will be tossed out or it’ll end in a plea. It’s obvious that the FBI utilized NSA expertise and they’ll want to keep that out of the public record. No way this gets to a jury.

    (1) google it.

    • Apparently you missed “Marques, who holds dual Irish-US citizenship”, and you didn’t read the Irish Times article that Brian pointed to and you are not familiar with US Extraterritorial jurisdiction (ETJ).

      There are certain crimes that US citizens can be held accountable and indicted, no matter where they are perpetrated.

      Also, extradition treaties come into effect.

      Consider El Chapo in Mexico may have never set foot in the US. So using your logic, he could never be held accountable and tried in the US. But that’s not how the system works.

      • The only reason Ireland is surrendering Marques is their inability to do anything useful with the illegally obtained information gathered by the FBI, while not wanting to appear lenient regarding child abuse imagery.

        Unlike Guzman, Marques is not alleged to have done any crimes, or directed crimes be done, in the US. The FBI was completely out of their authority to remotely investigate this case.

        Guzman’s activities directly affected Americans.

        US authority doesn’t extend into other countries when crimes don’t affect Americans. A long string of Supreme Court rulings have knocked down laws seeking to punish people who do bad things overseas. (1)

        The process here is an attempt to circumvent the Irish jury system and intimidate Marques to plead guilty on arrival to the US. It will probably never reach a US jury, as it offends Americans’ sense of justice to consider illegally obtained evidence.

        (1) http://cornelllawreview.org/articles/what-is-extraterritorial-jurisdiction/

        • “US authority doesn’t extend into other countries when crimes don’t affect Americans.”

          Ah, so none of the abused children were Americans. Is that right? It’s not mentioned in the article. And even if that were the case, are American children worth more than non-American children?

          It seems him having US citizenship is enough to grant them jurisdiction, and I’m OK with that.

        • “it offends Americans’ sense of justice to consider illegally obtained evidence.”

          Haha, you can’t be serious. Obviously, you haven’t seen much of our justice system in action.

        • The US does have jurisdiction to investigate crimes involving the hosting of child pornography. See link attached. He ran the websites, so yes he should be (and could be) investigated.

          • Further Thoughts

            He did not run the websites. He owned the website hosting company. That’s like the difference between a person who makes threatening phone calls and the person that runs the phone company.

            • In what scenario is it ordinary business conduct for a “phone company” to collect images of child abuse or encourage criminals to collect more?

              This guy is alleged to be far more than a hosting provider. What evidence do you have to contrast that?

            • BowB4RightNotMight

              Sir;

              This is not a good comparison and you should be ashamed of yourself for spreading that kind of rhetoric. I hope you do not have children or children in your family. The guy hosting company was exclusively designed to hide CHILD PORN. You comparing this guy to a regular phone company that is designed for public communication and is sometimes used by A$$holes to make pranks.
              I won’t judge you but I hope you were just being an A$$hole yourself and you didn’t mean it like how it sound.

  13. As much as I would like to see this individual suffer in some direct physical sense, the civilized part of me will be satisfied if he is consigned for a LONG period of time to the Supermax in Florence, Colorado. For those not familiar with that prison, it’s been described as a living death, and rightly so.

  14. HA! HA! More than one can play at this “hacking” game! Kudos to law enforcement for using the tools at hand!

  15. So basically, all he did was provide VPS’s on Tor? Standard nothingburger from the FBI baby-killers.

    Did Eric Eoin Marques burn 17 little children alive?

  16. Thinking Further

    Eric Eoin Marques was not running the porn sites — he ran Freedom Hosting, an internet website hosting service that had 30,000 or more sites. Of those, the FBI claims 100 sites had child abuse images. Marques ran his business by himself. His terms of service stated that his customers could not upload anything illegal onto their sites or use their sites for any illegal purpose. He also had a privacy policy that he did not look at or go onto the sites being hosted on his servers. Holding Marques responsible for the contents of his customers’ websites breaks new legal ground. This is like holding Amazon Web Services responsible for the contents of all the websites on AWS or holding Twitter responsible for all the tweets, pictures, and videos tweeted by the millions of Twitter users. The FBI has called Marques the largest facilitator of child porn , which has been effective at getting the public to rush to judgement. In reality, he is a guy with Asperger’s syndrome who had a tor website hosting company in his bedroom, and 100 of the more than 30,000 sites were run by customers taking advantage of the situation to run sites with child porn. No one has suggested exactly how he was supposed to ferret out those abusive sites. Amazon Web Services also does not allow illegal content, but it refuses to remove illegal content that is reported to the company, which is a complex, obscure, and difficult process, unless there is a court order stating the content must be removed. In other words, AWS handles illegal content by ignoring it, even if it is reported, unless there is a court order stating it must be removed. The FBI never tried going to Marques with a court order stating which sites were to be removed, but instead, arrested him and charged him with crimes, as being responsible for the content of all the websites on his web hosting service. This breaks new territory in US internet crime prosecutions. Is the DOJ going to hold AWS, Twitter, Facebook, and all the internet giants responsible for all the content posted by all of its users? If not, exactly why are they doing that to this one guy from Ireland? Maybe that will be explained in this court case.

    • Is a diagnosis of Asperger’s an affirmative defense to anything?
      Seems he was very high functioning if true.

      We do not know if he was checking the contents of those he was hosting or not. Likely he was observed remotely or there is other evidence he was involved in more than hosting.

      One wonders if the following is true, why he would do such a thing, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”

      What was so precious on that laptop?

      With the Cloud Act having been passed a year ago, the feds likely have much more information available than has been publicly released to date.

      https://money.cnn.com/2018/03/23/technology/spending-bill-microsoft-lawsuit-supreme-court/index.html

      • A person can dive for any number reasons, including to avoid the explosive end of an agent’s firearm. It doesn’t prove ownership or intent or guilt.

        As for the law you mentioned, it came years after this guy was arrested. Doesn’t apply.

    • Random Thoughts

      I think you hit the nail on the head. I was looking for information in this article that might highlight what he was doing instead of what the DOJ wants people to read. Admittedly I didn’t read the linked articles but it does appear you are right. He ran a hosting service that simply did not shutter some sites run by other individuals. Those are the people I want to see shut down. Not a hosting provider that has sites that Governments don’t like.

      I am conflicted because he likely isn’t cooperating with investigators to close down the sites that SHOULD be closed. Possibly because the US Government would want other sites closed because they harm big companies or share secrets the government would like to not be shared.

      But I don’t think we should rush to judgement that he or anyone should be harmed in jail just because a DOJ PR report said they did something so horrendous we don’t want to think about it. DOJ has been wrong before, and this piece appears to be another example if he was a web site hosting company and not actually involved with or visited or even received complaints about the offending sites.

      • Further Thoughts

        Thanks for thinking logically. As exlained in many news stories, when the rented server used by Marques was taken down by the FBI, all the sites on it were taken offline.

        And the story gets better still. Supposedly some of these alleged child abuse image sites are actually Japanese manga or other cartoons. That’s why it’s so important to see what the evidence actually is.

        • Thinking Further, Random Thoughts, and Further Thoughts. Are you three somehow related, having a “discussion” of talking points you’ve already agreed on?

          • Oh I don’t know, Steve, are WE the same people?! Are WE just having a discussion within ourselves?! The internet may never know…

            • Oh Steven, you silly, silly man. Wait… is this the same Steve or are there now THREE OF US??!!

              • Come on Steve, they are all one person and it is you and I who are different. Or… what if… even ALL of us are the same person?! MY HEART CAN’T HANDLE THIS SITUATION!!!!

        • Can you cite to this research, so we may also read it?

          In regards to the CP sites actually “only hosting Japanese Manga or other cartoons”.

    • He would have known about the childporn sites in 2011, when Anonymous started Operation DarkNet and was DOS’ing his hosted sites.

    • You have it all wrong. In some of the other research and articles about Freedom Hosting, Marques clearly knew what servers and sites his clients were hosting (CP) and still continued to let them operate on his hosting and in some cases even helped them to avoid takedowns or LE operations.

      He is not some innocent random guy who ran a website hosting company as you claim. He knowingly helped to host CP and disgusting sites and keep them online.

      • Further Thoughts

        Can you cite to this research, so we may also read it?

        • Sure thing. He was fully aware of the content he was hosting and actively marketed it as such.

          https://thegoldwater.com/news/29059-World-s-Largest-Facilitator-of-Child-Porn-will-be-Extradited-to-the-US-to-Face-Justice

          “Prosecutors say that Marques was born in the United States of America, but that he’s an Irishman who fled the United States of America to set out upon a profitable venture on the internet with the intention of targeting child pornographic distribution networks in order to make his fortune, and that’s what the FBI says he did.”

          “The Federal Bureau of Investigation participated with coordination of the low-key raid on Marques, where for years he’d bragged to the pedophiles using his services that he was untouchable.”

          “The argument from the FBI is that Marques was fully aware of what he was doing; knowing that child pornography was being hosted on his services and that he was profiting from this.”

          • Thank you.
            Unimaginable that people treat the worse child abuse so lightly.

          • Buncha Malarkey

            You should consider getting your information from more reliable sources . He “fled” the United States at the age of 4 because his parents moved back to Ireland and imagine this – they took their 4 year old with them. He is only a US citizen by birthright; neither of his parents is a US citizen and he lived only a few years in the US, as a young child.

    • IF that is the case, then it will set and change precedent and you’d see Facebook, Twitter et al flip their lids over it. I seriously doubt that is the case.

    • BowB4RightNotMight

      You sound like you were one of his users sir; If he have a 100 child porn sites on his hosting server ? what are the other websites advocating? It surely cannot be religion. You make no sense. You wrote an entire essay to justify why a Child Porn advocate should is innocent? Is that what this essay is about? #BowB4RightNotMight

  17. I’m confused. How can the FBI have jurisdiction here?

    Unless the pedo-websites were actually hosted in the US or the operator resided in the US, the FBI should not be involved as it is a national bureau of investigation with jurisdiction in the US alone. Eric Eoin Marques lived and operated the site from Ireland.

  18. To echo the comments of ‘Thinking Further’ above.. There was a lot of collateral damage when Freedom Hosting was shut down. I don’t think many people realized how many (non-porn) Tor sites were running on Freedom Hosting until it disappeared.

    If Marques was knowingly hosting child porn sites, that’s a problem that needs to be dealt with. I’m not sure that we can jump to that conclusion.

    It’s not clear whether, or to what extent, he knew what was being hosted. An ethical hosting provider does not go sifting through the contents of their customers’ data. If they receive an abuse complaint, they are aware at that point and have a duty to respond. It’s doubtful that the child porn sites identified their hosting provider, and due to the nature of Tor there was no other way of identifying and contacting the provider. It’s highly unlikely that Freedom Hosting was notified of the content.

    This is likely a case of the Marques taking the money and looking the other way, but pursuing criminal penalties for child porn/abuse appears to be inappropriate.

    • He had to have known he was hosting childporn by 2013. Anonymous started DDOS’ing those sites in 2011 as part of Operation Darknet. To say a hosting provider wouldn’t be aware of the systems issues and the publicity surrounding it is just not credible.

      https://www.bbc.com/news/technology-15428203

      • Further Thoughts

        The article you linked does not back up your claims. It is not likely their efforts, which were crimes in themselves, knocked anything off tor, let alone any specific offensive sites. Just because someone called calling themselves Anonymous claims to be doing something does not mean it is actually happening.

  19. “The sites could only be accessed using the Tor Browser Bundle”

    This isn’t strictly true, you do need to use Tor, but you can use that with any browser if you have the service running on your computer. The Tor Browser is just a tool that make Tor easier to use.

  20. Look at you all. This group has abandoned all common decency and is quarreling over a Firefox back door. Forget the kids, who were TOTURED and RAPED, let’s get mad about something that was probably designed to stop this sick industry. What happened to the children afterwards? Thought about that? Your internet god has removed all traces of decency in you all.

    • Not so, Charlie. Most children who become the subjects of child porn images and videos have this done to them by their parents, guardians, or other people in their lives who are in a position of trust. That’s why going after the creators of child porn, or those that run websites trading in child porn, makes sense.

      Putting criminal responsibility onto the man who ran a website hosting service, the terms of service of which clearly stated that no illegal contents were allowed onto the sites, makes little to no sense. If you want website hosting services to be responsible for the contents of all the websites on the host services, then no one will be able to be a website host.

      This is quite like holding the phone company responsible for everything everyone says on all phone calls. It makes no sense. Should the presidents of Iphone and Sprint be put in prison because teenagers are sexting and old men are sending dick pics?

    • And what about dissidents and people who are trying to fight government oppression who might be facing torture and death because of backdoors. Study the history of oppressive regimes and they often start with violations of civil liberties that are emotionally justified but then lead to abuses that include genocide.

      I would also add that in the US a person is innocent until found guilty by a jury. If you think vigilante justice works read “The Oxbow Incident”

    • Charlie, you’re wrong.

      This article is primarily about technology and a long-running legal case. The comments reflect this.

      Second, a comments section is not an appropriate venue for psychological support or victim pathologies.

  21. I wonder if this was leveraging the WebRTC exploit because all the info i read points to it.
    A lot of common VPN providers were also effected by this browser issue!

  22. So glad you reported on this development. At a time when the FBI seems to be under attack for political reasons, it is good to push a story like this to the forefront. Child porn, and those profiting from it need to be tracked down and held accountable.

    Thanks Krebs for keeping us informed. You do a great job.
    Respectfully,

    Kevin D. Eack

  23. @Brian

    > 3o [sic] years for each count

    You have an O where you probably should have a 0.

Leave a comment


#####EOF##### A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach — Krebs on Security

29
Mar 19

A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach

On Feb. 21, 2019, KrebsOnSecurity contacted Italian restaurant chain Buca di Beppo after discovering strong evidence that two million credit and debit card numbers belonging to the company’s customers were being sold in the cybercrime underground. Today, Buca’s parent firm announced it had remediated a 10-month breach of its payment systems at dozens of restaurants, including some locations of its other brands such as Earl of Sandwich and Planet Hollywood.

Some 2.1 million+ credit and debit card accounts stolen from dozens of Earl Enterprises restaurant locations went up for sale on a popular carding forum on Feb. 20, 2019.

In a statement posted to its Web site today, Orlando, Fla. based hospitality firm Earl Enterprises said a data breach involving malware installed on its point-of-sale systems allowed cyber thieves to steal card details from customers between May 23, 2018 and March 18, 2019.

Earl Enterprises did not respond to requests for specifics about how many customers total may have been impacted by the 10-month breach. The company’s statement directs concerned customers to an online tool that allows one to look up breached locations by city and state.

According to an analysis of that page, it appears the breach impacts virtually all 67 Buca di Beppo locations in the United States; a handful out of the total 31 Earl of Sandwich locations; and Planet Hollywood locations in Las Vegas, New York City and Orlando. Also impacted were Tequila Taqueria in Las Vegas; Chicken Guy! in Disney Springs, Fla.; and Mixology in Los Angeles.

KrebsOnsecurity contacted the executive team at Buca di Beppo in late February after determining most of this restaurant’s locations were likely involved a data breach that first surfaced on Joker’s Stash, an underground shop that sells huge new batches of freshly-stolen credit and debit cards on a regular basis.

Joker’s Stash typically organizes different batches of stolen cards around a codename tied to a specific merchant breach. This naming convention allows criminals who purchased cards from a specific batch and found success using those cards fraudulently to buy from the same batch again when future cards stolen from the same breached merchant are posted for sale.

While a given batch’s nickname usually has little relation to the breached merchant, Joker’s Stash does offer a number of search options for customers that can sometimes be used to trace a large batch of stolen cards back to a specific merchant.

This is especially true if the victim merchant has a number of store locations in multiple smaller U.S. towns. That’s because while Joker’s Stash makes its stolen cards searchable via a variety of qualities — the card-issuing bank or expiration date, for example — perhaps the most useful in this case is the city or ZIP code tied to each card.

As with a number of other carding sites, Joker’s Stash indexes cards by the city and/or ZIP code of the store from which the card was stolen (not the ZIP code of the affected cardholders).

On Feb. 20, Joker’s Stash moved a new batch of some 2.15 million stolen cards that it dubbed the “Davinci Breach.” An analysis of the cities and towns listed among the Davinci cards for sale included a number of hacked store locations that were not in major cities, such as Burnsville, Minn., Livonia, Mich., Midvale, Utah, Norwood, Ohio, and Wheeling, Ill.

Earl Enterprises said in its statement the malicious software installed at affected stores captured payment card data, which could have included credit and debit card numbers, expiration dates and, in some cases, cardholder names. The company says online orders were not affected.

Malicious hackers typically steal card data from organizations by hacking into point-of-sale systems remotely and seeding those systems with malicious software that can copy account data stored on a card’s magnetic stripe. Thieves can use that data to clone the cards and then use the counterfeits to buy high-priced merchandise from electronics stores and big box retailers.

Cardholders are not responsible for fraudulent charges, but your bank isn’t always going to detect card fraud. That’s why it’s important to regularly review your monthly statements and quickly report any unauthorized charges.

Tags: , , , , , , , ,

32 comments

  1. Are these restaurant chains moving to tokenized processing of bankcards? We’ve been doing that for over a year now, no unencrypted card numbers are ever on our system or exposed.

    But the restaurant industry is slow to adopt new security measures, so they are likely still using swipe readers at the hacked locations.

    • There are some that have upgraded to support the chip. (AFAIK, Buca di Beppo has not.) However, pay at the table in the US is still extremely rare outside of the largest chains and likely will continue to be for some time to come.

      Anyway, I’m feeling that the EMV liability shift wasn’t nearly as strong of a motivator as the card networks thought it’d be. Perhaps this is a case where regulation at the government level would have been helpful.

      • The level of regulation in the US is commensurate to the affordability of the system to merchants. It is actually amazing Chip-N-Pin is reaching the adoption levels it has in America.

  2. The Sunshine State

    Another great article , the credit card breach news always starts here first !

  3. They refuse to update their card readers, they also need to have card processors on each table that only accept chip transactions. I really hate when the waitstaff disappears with my card for 20 minutes as well. Isn’t it time they got ahead of the game. As for Buco, their food isn’t very good and their restaurants have poor acoustics>

    • I also hate when a restaurant does that(I’ve never been to any of the places listed here)!!
      I need to make a better effort at bringing cash to a place I know does that.
      BTW, can anyone tell me why some places swipe my card & then insert to use the chip? Doesn’t seem secure to me.

    • Chip and signature + tip adjust continuing to be allowed makes pay at the table hard to justify for restaurants. Not to mention that there are apparently a significant number of customers who are not fans of pay at the table, so implementing it when few other places are will likely alienate them. (In my experience, outside of the large major chains like Chili’s and Applebee’s, pay at the table in the US is extremely rare.)

      Of course, this assumes a restaurant upgraded to support the chip at all. A fair number are still swiping.

      • “apparently a significant number of customers who are not fans of pay at the table”

        What reason would people not be fans of keeping possession of their credit card instead of having it walked around a restaurant?

        • Likely in large part due to tipping. Right now it’s done with the server away from the table, so they don’t see the amount until after the guests have left. With a portable payment terminal, the server is standing there while the guests enter the amount. I can see how that’d be awkward if it’s not something done at every restaurant.

          • fwiw, restaurants whose staff leave payment machines w/ customers and then walk away are just asking to be hacked in various ways. I haven’t looked into it in detail, but I expect that someone will have a way to tamper with the machines… The machines can generally trigger credits/refunds in addition to making charges (I’m not sure if they require extra codes for approval, but a key-pad-logger can be installed, if the staff is away…).

            I can understand the hesitancy wrt revealing the tip amount, but it’s a pretty silly thing–the wait staff will know the amount and will probably remember you long enough to be able to associate the amount with you.

    • This article clearly stated that the point of sale computer system was hacked, remotely.

      This article has nothing to do with waitstaff skimming cards or card readers.

      Did you even read it?

  4. Hey, where’s the obligatory “we take our customers security very seriously” BS? Also how about offering a (useless) free credit monitoring service? I guess they don’t do it in Italy, hah?

    • From the Buca di Beppo Web site:

      “We remain committed to safeguarding the security of our guests’ information and deeply regret that this incident occurred.”

      So there’s the BS you were looking for, Dennis.

      • Mikey Doesn't Like It

        BS indeed!

        The only actions they suggest on their website are things that YOU, the customer, should do. Nothing at all on their part. And certainly not even the hint of offering any credit monitoring protection (however useless that may be).

        They “deeply regret” this incident — no doubt because of the inconvenience to them, not us.

        A shabby response. Definitely not the kind of company I’ll patronize.

  5. Can anyone explain why restaurant establishments (and possibly other similar random-transactional-businesses) would have any need to store mag stripe info for more than, say, 24 hours? I expect that the back end payment processors issue a transaction number for every payment made by the front side vendor for tracking purposes. It seems that if B.d.B. and others would simply not retain the sensitive data unnecessarily it would reduce risk in large amounts.

    • This breach, like many others before it, was caused by malware on the point-of-sale devices that captures the card data as the customer’s card is being physically swiped at the register — not when the data is somehow stored in the retailer’s systems.

  6. Time for customers to vote with their feet and refuse to patronize these establishments who allow such breaches to occur for an extended period of time, and then refuse to talk to the press about its occurrence. It’s not like there is a shortage of Italian restaurants or sandwich shops. As for Planet Hollywood, well….

    • By that logic, you should skip any restaurant that hasn’t been breached because it may be breached in the future. Or, better yet, maybe you should just stop using credit cards.

      • I, for one, essentially HAVE stopped using my credit cards, except in the few mega retailers who, if they get breached, then virtually EVERYONE in America will be having a bad hair day right along with me. Only those mega companies seem to actually take any of this “security” stuff seriously. I haven’t used any of my cards at any *restaurant* in literally years, and I won’t, because of stuff like this. The card companies have gone to great lengths to get everyone addicted to using plastic, but doing so is unambiguously dangerous. Cash is your friend. Flip that middle finger at the card companies. They deserve it because they don’t do s**t except collect fees… which they do, even on fraudulent transactions.

  7. Always been corruption dealing with Esau if no the bible I’m not against it because it’s every company you go in spend money on ,comma since ,add up the dollars because the cents don’t make sense so you have a company or franchises dubbling up der money . The Italian way .

  8. What really sicks is when Bucca sends you emails for special offers they only accept your credit or debit card not cash to redeem offer. So what’s that all about””” something’s fishy

  9. WAIT! WAIT! WAIT! Wait just an effing minute here! Brian, your time line is NOT making things clear. Please elaborate. You write that you contacted the company and informed them of the issue on Feb. 21, 2019, and yet the company CONTINUED to have card numbers stolen from it right up to and through March 18, 2019?? Am I reading that right?

    Brian, please do clarify. And it is really totally OK to blow your own horn here, under the circumstances. Are you, to the best of your knowledge, both the first and also the ONLY party to have informed this company about the breach? And why did it take them nearly a full month to take this matter seriously and to actually lock things down?? This is just NUTS and shows an abject and callous disregard for the safety of the company’s customers. This is really inexcusable. May the lawsuits begin!

  10. So you contacted them on 02/21 but you are reporting it on 03/29.
    Did you agree to wait for a good reason?

  11. Burnsville is a Minneapolis suburb; for all practical purposes it is Minneapolis.

  12. Nothing will change until merchants who leak our credit card data are penalized significantly.

    The tech to avoid these problems is available. The only reason merchants are not using it is that the money they save by not upgrading is literally worth more than the risk they take in not upgrading (because there really isn’t any risk right now). Risk = Severity($) x Probability of occurring x Exposure to the risk. To put it another way: convert risk to dollars, then follow the money. If that points to not investing in proper security, there will be no meaningful security.

    Regrets and yet another credit monitoring subscription do not help. Only when merchants are obligated to observe good security practices via threat of major financial pain will they do so. Flip the equation so it is NOT worth the risk of operating with vulnerable payment processing systems and practices. Only then will we see improvement.

  13. For some reason the Coffee Bean and Tea Leaf joints in our locality have cards inserted in the chip card slot that say “Swipe” with an arrow pointing towards the card swipe slot. The manager said they had problems with the Verifone terminals so they were just using the mag stripe. Sigh.

    • Not unusual.

      I was in a chain sandwich shop Saturday. Their chip readers were all broken.

      The owner was working that night.

      She said corporate forced them to buy that particular system… and corporate doesn’t want to hear about they’re broken.

      Franchisees are responsible for paying to have them fixed.

  14. What forum was this on?

  15. ROB: Discussing the most well arranged podcast, though I think we perform good job of masking that.

    The Romans only had VHF and three black and white channels
    — all in Latina. The records I’ve heard so far are unimaginable. http://myy.me/skyalpinequeenstowncasino515726

Leave a comment


#####EOF##### Hacked Cameras, DVRs Powered Today’s Massive Internet Outage — Krebs on Security

21
Oct 16

Hacked Cameras, DVRs Powered Today’s Massive Internet Outage

A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.

Earlier today cyber criminals began training their attack cannons on Dyn, an Internet infrastructure company that provides critical technology services to some of the Internet’s top destinations. The attack began creating problems for Internet users reaching an array of sites, including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.

l3outage

A depiction of the outages caused by today’s attacks on Dyn, an Internet infrastructure company. Source: Downdetector.com.

At first, it was unclear who or what was behind the attack on Dyn. But over the past few hours, at least one computer security firm has come out saying the attack involved Mirai, the same malware strain that was used in the record 620 Gpbs attack on my site last month. At the end September 2016, the hacker responsible for creating the Mirai malware released the source code for it, effectively letting anyone build their own attack army using Mirai.

Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.

According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.

“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn.

“At least one Mirai [control server] issued an attack command to hit Dyn,” Nixon said. “Some people are theorizing that there were multiple botnets involved here. What we can say is that we’ve seen a Mirai botnet participating in the attack.”

As I noted earlier this month in Europe to Push New Security Rules Amid IoT Mess, many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet.

That’s because while many of these devices allow users to change the default usernames and passwords on a Web-based administration panel that ships with the products, those machines can still be reached via more obscure, less user-friendly communications services called “Telnet” and “SSH.”

Telnet and SSH are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” to reach a username and password prompt at the target host).

“The issue with these particular devices is that a user cannot feasibly change this password,” Flashpoint’s Zach Wikholm told KrebsOnSecurity. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”

Flashpoint’s researchers said they scanned the Internet on Oct. 6 for systems that showed signs of running the vulnerable hardware, and found more than 515,000 of them were vulnerable to the flaws they discovered.

“I truly think this IoT infrastructure is very dangerous on the whole and does deserve attention from anyone who can take action,” Flashpoint’s Nixon said.

It’s unclear what it will take to get a handle on the security problems introduced by millions of insecure IoT devices that are ripe for being abused in these sorts of assaults.

As I noted in The Democratization of Censorship, to address the threat from the mass-proliferation of hardware devices such as Internet routers, DVRs and IP cameras that ship with default-insecure settings, we probably need an industry security association, with published standards that all members adhere to and are audited against periodically.

The wholesalers and retailers of these devices might then be encouraged to shift their focus toward buying and promoting connected devices which have this industry security association seal of approval. Consumers also would need to be educated to look for that seal of approval. Something like Underwriters Laboratories (UL), but for the Internet, perhaps.

Until then, these insecure IoT devices are going to stick around like a bad rash — unless and until there is a major, global effort to recall and remove vulnerable systems from the Internet. In my humble opinion, this global cleanup effort should be funded mainly by the companies that are dumping these cheap, poorly-secured hardware devices onto the market in an apparent bid to own the market. Well, they should be made to own the cleanup efforts as well.

Devices infected with Mirai are instructed to scour the Internet for IoT devices protected by more than 60 default usernames and passwords. The entire list of those passwords — and my best approximation of which firms are responsible for producing those hardware devices — can be found at my story, Who Makes the IoT Things Under Attack.

Update 10:30 a.m., Oct. 22: Corrected attribution on outage graphic.

Tags: , , , , , , ,

242 comments

  1. I have a ChannelMaster DVR. Not sure if it XiongMai-based. Contacting the company tomorrow. What tools can I use to know if I am a node in a DDOS attack?

    Even more fundamentally, how does Mirai get through my firewall?

    Not a networking expert like most here.

    • The first four places I would check is the website for Channelmaster, the paperwork that came with the device, whatever might be said within the setting for it as far as firmware, and then whatever might come up within a google search.

    • Yet Another Eric

      I think the starting point is to look at your router itself, and see if the DVR has used UPNP (universal plug and play) to drill a hole in the firewall (i.e see if any ports are being forwarded to your DVR.

      • you say regarding dvrs, you need to secure your router. most people that have physical dvrs in their home rent them from a cablevision or fios or other provider and don’t control the device. it’s a black box to us, on the providers network, not behind your personal firewall and we have no control over it.

        • These are not the DVR’s in question. We are not talking about machines for recording Game of Thrones (although they could probably be use for that) that come from cable tv providers.

          We are talking about DVR’s that are part of security camera setups. The Machines that these cameras are connected to for monitoring and recording whatever the security cameras see.

          These are two very different things. “DVR” means Digital Video Recorder. This is a generic term.

    • I don’t think you will get an answer.
      If not, the right tool is a hammer.

    • How about checking your 23 ports on your device[s]?

    • Justin B Cardwell

      If you look at your device logs, if possible, look for large numbers of icmp packets being sent to the same destination

  2. The real culprit behind all of this is UPnP. Your dvr/camera isn’t connected to the internet, your router is. And,as pointed out in one of these articles, ease of use concerns have overriden practical configurations for a while now. If you want to make sure your router doesn’t open up a hole without your knowledge, go kill UPnP on it.

  3. Anyone here already heard of maidsafe.net: https://hacked.com/decentralized-internet-solution-outages ?
    It has great potential, I think.
    They are still in development and the proof of the pudding is in the eating.
    But maybe some people here can help them in achieving their goals.

  4. For DHCP, DNS, and a couple of other services, the client server model could be adjusted so that clients need to use public key cryptography with client keys. Manufacturers could produce keys for themselves, sign intermediate keys for products lines and models, and then include either a per device or per build key which clients would use to get prioritized access to APIs. Services under load could choose to drop unsigned requests, and would generally provide responses to such requests with a higher latency (lower priority). Providers would also maintain a blacklist of abused certificates.

    Yes, this makes each request more expensive, but part of the reason that these attacks work is that the client request is much cheaper than the server response. By altering that equation, adding some tracking, and enabling discrimination, the equation can be changed.

    Microsoft could issue certificates such that perhaps 1000 users share a certificate. When an OS update is delivered, Microsoft could replace the certificates. If a Microsoft certificate is rejected, it wouldn’t doom all users, just some fraction, and they could contact support for help.

    The same would apply to any other vendor.

    Certificates should be time limited.

    Between the expiry on certificates and the ability certificates or intermediaries, manufacturers would be forced to support devices with at least basic periodic updates. And they couldn’t advertise a device as lasting forever unless they committed to actually supporting it.

    This model also covers the case where certificates are stolen: the original devices have to update to get replacement certificates from the vendor, and the thieves have to work to steal another certificate. If a vendor’s certificates are stolen too many times, then service providers could stop accepting them.

    • If we compare the Internet to a highway system, these certificates would be the equivalent of licensing drivers and vehicles to use roads. Private roads / servers could choose not to require licenses / certificates, but they could change their rules if they need to. And with roads and driver’s licenses, the issuers can choose to revoke or suspend a license, or to stop renewing it. Also, for places with reciprocal licensing agreements, they can choose to stop recognizing another entity’s licenses if there are too many problems.

      Privacy would be managed by issuers not generally issuing individual licenses to individual devices, but instead issuing them to groups – and since there’s a cost to issue a certificate, vendors would try to issue as few certificates as possible. But penalties exist for not replacing certificates fast enough: customers could sue or switch vendors. And penalties would exist for issuing 1:1 certificates in that customers would complain about loss of privacy and switch vendors.

    • This would make DoSing them EASIER – since verifying the client certificate is quite an expensive procedure, all you’d have to do is hurl lots of phony requests with random (but semantically valid) data at them.

      There have been some experiments with client-side proof-of-work (one related and common example would be CloudFlare’s captchas when a site is under attack or the client looks suspicious), but not a lot really helps once the attack is big enough to saturate your pipes.

  5. Kill upnp, job done

  6. As the article mentioned, the end user can change the web interface password but ssh and telnet passwords are hard coded into firmware.

    The latter are not reachable in most home networks because most are NAT’d and require port forwarding be established for these services.

    So it would seem to me that if an end user changes their web based password on the device in question and if they do not establish port forwarding to the telnet or ssh port on the device, then the device should be secured from this type of attack.

  7. Hi Brian,

    for me the whole story sound very whitehatish

    First the attacks against your site. Attacking the no1 security journalist who will report every detail about the attack and who is even capable of handling the attacks?
    Then the release of the source to reveal vulnerabilties so that every hacker will start using it as long it’s not fixed.
    It has fix that! written all over it. Too bad it didn’t happen fast enough

    • Sounds like you don’t have a clue what a white hat is. It’s certainly not someone who launches massive DDoS attacks.

      • My fault. By definition (Wikipedia) that would be a “grey hat”.
        I just don’t see a reason why someone would ddos your site and then release the source (for free) any other than that.
        Anyway thanks for the reply.

        • They release it for free to obscure themselves and watch the world burn. If everyone in a crowd has the Anonymous/Vendetta mask on, who is the one you were looking for?

          • I agree the author chose to release it to be able to hide. if only you are using it then it’s only a matter of time before they can tie you to it.

    • Why worry about the source code? There is only one vulnerability to a weapon that is believed to be invulnerable and all powerful…..over confidence.

      Brian Krebs is going to make sure the world knows what this is. This is a good thing. Although his ability to ‘handle’ these attacks are only as strong as Google wants to make him.

      This is quite simply part of what can be perceived as a cyber virtual version of a ‘cold war’. This whole thing really is more about politics than technology. It is more about international relations than bit coins. The problem here is that in order for this to work, huge numbers of users (potentially all over the world) get used. The end user wether they know it or not, gets used (played) in an attack against who ever or what ever is targeted.

      example:
      it does not matter what side of the political spectrum YOU personally fall on. This weapon could be used to take down any political party or opponent, Any reporter not saying what the attacker wants them to say, or even any company not doing the bidding of the attacker. The attacker could be a political leader or a rogue nut job.

      The funny part is that while all this is happening, YOUR so called security cameras could easily be helping to facilitate more ammunition. And you never know it. But ya know, who’s to say that all those IP addressable light bulbs could not be conscripted into the battle at some point? lol…..All while your sitting down at the dining room table having a quiet evening meal.

  8. The problem today is the industry sells cheap powerful often unpolished (Linux) devices to old cripple women trying to drive a Ferrari.
    They give it a buzzword, named IoT.
    And everybody bites.
    Smart…..

  9. How about we stop making things in china!

    • Let’s call it price/quality.
      How many Linux developers are there in the West?
      How expensive are they?
      Simple answer.
      There are almost no Linux developers in the West because our educational system failed.
      Linux and FOSS in general sucks, right?
      We missed the boat and are being left with W10 as disaster….

      • Nu 1, what Linux developer have to do with it? Not a thing, w10? Same, it’s all based on something else. Machine language. Just as English, is a derived language, and Spanish, and even Chinese are all derived languages. The problem is someone uses language to hide something, like your lightbulb spying on what you do, and reporting not to the power company, but to your neighbor. Now imagine, the same chips are in pacemakers, cars and semi automious vehicles. Overload the network. Will the vote counting machine report your vote? Will your pacemaker work? Will your car make the high speed turn to your driveway? Or will your lightbulb turn on?

        • I thought: “Kill upnp, job done” was enough?
          So, it has nothing to do with Linux?
          Damn….
          I run Linux on a 8-bit AVR.
          Ok.., it’s a little slow but it felt secure.
          Thanks for destroying my day.

    • Want to stop making things in China? Then make them in the USA. How to do that? The secret is in knowing why they’re made in China in the 1st place. People think it’s ‘cuz the Chinese work for peanuts. That doesn’t hurt, but that ain’t the reason. The reason is the USA’s egregious corporate income taxes at near-40%. Trump wants to lower them to 15%, which will help, but the real solution is the Fair Tax, that totally repeals absolutely all the US income taxes of the backs of everybody – personal income tax, corporate income tax, payroll tax, gift tax, self employment tax, capital gains tax, estate tax – all forms of income tax. It replaces them with a consumption tax and a “prebate” that pays to each legal resident the amount of money they need to pay the consumption tax on all purchases up to the poverty level for their living situation. If they are a family of 4 and the poverty level for a family of 4 is $24K, then they get enough each month, in advance, to pay for the tax on 24,000/12 = $2,000 of spending each month. So, the poor pay $0 tax, and the rich, such as Trump who is speculated to not have paid any income tax for 18 years due to a huge loss in 1995, would have paid $30,000,000 on the purchase of a new $100,000,000 Boeing 757 that he so conspicuously flies around in.

      So, you want to build all that stuff in the USA? Get the US income tax off the backs of the US people, and we will be the newest, bestest manufacturing tax haven on the planet, where people can build things and hot have the government tromping thru the door to steal 40% of your profits, or 15% of your profits, or anything. That’s how to quit making crap in China.

      • How many US manufacturers actually pay income ? Not many from what I have seen, the USA gives companies that export from the US fantastic tax breaks. It is government policy and it has been that way just about forever.

  10. So these devices listening on telnet and ssh all need to be accessible through NAT on the user’s firewall, right? First question is, is that early necessary? Second, it seems like ISP’s may be able to block this access themselves, perhaps with an advisory to the customer, and without affecting other services? If flashpoint can see easily scan for affected devices, why don’t they share this information with providers?

    Understandably, guilty routers and firewalls may be available by default, but surely DVR’s, printers, etc… Why are they reachable on 21 and 22 from the world?!

    • To answer part of my own question, it seems upnp might be part of the problem. Still, potentially there might be a role for service providers to okay in assisting? I imagine new legislation that allows notice to be served to an ISP, who would then take action to reduce the threat from a particular customer.

    • Yet Another Eric

      The key here is something called “universal plug and play” or UPNP for short. This allows devices to reconfigure the router to add a port forward so that the device in question is visible to the entire internet.

      What happens if you turn that off? Depends on the device I guess – there will probably be some loss in functionality. The industry worked hard to make things easy to use and configure and never considered the possibility that brain-dead devices might be added to the network.

      ISPs could change the settings to disable UPNP. And they would probably field a lot of phone calls.

      On our own FIOS router, I note that there are port forwards to the FIOS TV boxes (which we no longer have). The router does not allow me to delete these forwards, which I find to be interesting. But the forwards themselves lead nowhere (nothing is at the IP addresses in question in our house), but if you had Verizon FIOS TV boxes, it is likely that your DVR would be accessible to the internet as a whole. Since we no longer have those boxes, I can’t probe them to see what kind of security they might have.

      • would be better to have upnp disabled by default. people that know what it is could enable it if they need it.

        • The problem with this approach, is that UPnP was designed with people who aren’t tech savvy in mind. The kind of people where even going into their router and enabling UPnP would prove problematic. I think baking security standards into our internet connected devices would probably be a better idea, at least from a business perspective.

  11. After reading the mass media claiming that New World Hackers is formed by Chinese and Russian hackers, we have put together a list of facts

    http://www.spoofit.org/new-world-hackers-and-blazingfast/

    Those in the community that can help in the research please reach out.

  12. What’s really interesting is the idea of, at some point, having to use a defensive hack to take down these susceptible devices. Sending out a code that essentially “bricks” all these IoT devices if they’re being used to target something a little more dangerous than Reddit or Twitter.

    • @signaldistress

      Bricking a half a million devices would be a very dubious thing to do. In this instance the “infection” is in RAM so it would probably be best to craft something that reboots the device with the problem disabled.

      However, this is unlikely to be easy, you’d probably end up having to flash the device remotely. A complex and dangerous task at best; quite likely to lead to the bricking you mentioned.

      Maybe it would be enough for a “Grey-hat” to infect lots of them and just turn them all off at some appropriately disruptive time. ( hopefully: “busybox poweroff -n -f” )

      Repeat as necessary.

      • These are security cameras, right ? Turning them off is part of the joke. Along with their recorders.

  13. The culprits for these attacks are IoT and Firewalls with default settings, known unpatched security problems, and devices that use a listing server such as IP cameras. These have a way to punch through your basic firewalls to allow you to view them on the internet. That same server can be used to cough up your IP camera access/info, then the camera can be used externally to attack others.

    There are a lot of bots posted with full code atm, all of them have different approaches and script kiddie like adults using them.

    I’m glad we didn’t see the Russians were behind it on Krebs here. I’m so tired of hearing that unsupported crazy MSM garbage.

  14. An update to Mirai to brick an IoT device until power cycled would motivate owners to change the password or get a firmware update. Also, I read that 80% of the bots were DVRs – as these devices are usually owned by the cable/satellite company getting a fix out should be routine for them.

  15. Brian – Regarding your UL comment, I’m surprised you’re unaware of the work Mudge and his wife are doing around creating essentially a Cyber UL called the Cyber Independent Testing Lab.

    http://cyber-itl.org/

    I strongly suggest looking into their work, they’re off to a great start (in my opinion) and this is long overdue.

    • I’m well aware of it, thanks, and even followed their presentation this year at Defcon on the subject

      https://www.youtube.com/watch?v=HVjgKP2KIYI

      My comment about the need for a UL goes beyond this effort, however, which currently seemed more aimed at software than hardware. What we need is something quite a bit broader and more urgent.

      • Understood and agreed. It’s apparent the companies pumping these insecure products out won’t make any moves in the right direction unless it effects their bottom line.

        The Zatkos seem to be trying to empower the consumer with information to make more educated buying decisions, which may or may not incentivize manufacturers to change their behavior.

        It’s of my opinion we need some significant legislation to push manufacturers in the right direction, but it will take someone much smarter than I to sketch out what that would look like.

  16. Brian is spot on. The Federal Gov sometimes protects you from things you don’t want to happen, ex. buying a lamp that burns your house down. To prevent that there are Nationally Recognized Testing Laboratories (NRTLs), of which UL is one. US law enforces that lamps sold must pass the UL electrical safety tests, sparing millions of people from electrical fires in their home. It would make sense for the IEEE to develop the standard. Maybe some kind of auto traffic throttling if anomalous traffic patterns were detected, the algorithm would have to be very good though.

    Access to internet is now as vital as running water and protecting that access is going to fall on government, commercial industry has no motivation. But undoubtedly this protection will equate to less privacy.

    • UL is already working on this. They do work with IoT and also have specific focus on medical devices and SCADA standards.

  17. How does one targeted by DDOS ever defend? Why do these attacks ever end? It would seem that they would continue until the botnet controller decides to stop. I suppose that the defense would be different for a site like Krebs compared to a network like DYN. Comments?

  18. Hangzhou Xiongmai Technology has acknowledged responsibility, says it initiated a first fix in September 2015 and wants customers to update their firmware.

    http://www.computerworld.com/article/3134097/security/chinese-firm-admits-its-hacked-products-were-behind-fridays-ddos-attack.html

    But who are its customers? What brands of security cameras, sold in the US, use this chip set, and for how long have they done so?

    We need to find that out.

  19. I work at UL and we do have a Cyber Security program. It seems to be geared at this point towards Health Care Equipment and Industrial Control Equipment but I would assume that Consumer Devices is on it’s way. Better minds then mine would know.

    http://www.ul.com/newsroom/pressreleases/ul-launches-cybersecurity-assurance-program/

  20. Ok – here’s what I did keep my Night Owl AHD7 security camera DVR from being a bot
    Useless for using internet to see my cameras but I could care less – I rarely leave my home/lab – http://www.ajawamnet.com

    It does still allow me to log in on the local network with a browser and see the cameras/admin the box

    First, set up your router to not do silly – no remote, shut off all port forwarding, etc… and def the satan of uPNP (see http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html ). Set all the router stuff to a 0 address and disable

    Note Console cowdude was able to get U-Boot to give him a login, I think (since his article was from 2013) they shut that off. I’ll let you know…

    But I was able to set up the DVR to hose it’s ability to connect to the mothership. Just go into the network config of your DVR, use a static IP and settings, disable DHCP, and set the gateway and DNS last octet to 0.

    Example – 192.168.1.0

    I consoled into mine using a RS-232 level shifter. Before I did this you could see (both on the console and wireshark that it was phoning home and all happy with being able to connect to the internet:

    Here’s a link to a pic of my levelshifter connections:
    http://www.ajawamnet.com/stoopiddvr.jpg

    Before I set the Gateway and DNS to null:

    UIIPC]F:calback, L:608, UI msg main:1000, sub:62
    [APP]: End process message(MainType:1000, SubType:62, MsgSize:0, Sequence:21)
    [GUI]: Received message(MainType:1000, SubType:62, MsgSize:8, Sequence:21)
    Calling IOTC_Device_Login() ret = 0, UID[BGT8FTFD7C2GUJW4111A]
    P2PTunnelServer_Start Success, I can connected by Internet.
    Call P2PTunnelServer_GetSessionInfo ret[0]
    set HDDled group: 10 bit: 3
    set Record Group: 12 bit: 1
    set PlayBack group: 12 bit: 0
    set NetWorkBit group: 12 bit: 4
    change_file end is /dev/ttyAMA2
    Open /dev/ttyAMA2 success!!
    Set termios done!
    Set termios done!

    With a “real DNS and Gateway set up in the DVR’s network settings, my Wireshark Port mirror showed all kindsa stuff going to about 5 different routable IP addresses (prob in CN somewhere…)

    After I set it to null for gateway and DNS and I verified this with Wireshark running on a port mirrored switch (look up port mirroring the Netgear Prosafes can do this):

    No Internet, error[-41]!! Reconnect after 15sec…
    Calling IOTC_Device_Login() ret = -41, UID[BGT8FTFD7C2GUJW4111A]
    No Internet, error[-41]!! Reconnect after 15sec…
    Calling IOTC_Device_Login() ret = -41, UID[BGT8FTFD7C2GUJW4111A]
    No Internet, error[-41]!! Reconnect after 15sec…
    Calling IOTC_Device_Login() ret = -41, UID[BGT8FTFD7C2GUJW4111A]
    No Internet, error[-41]!! Reconnect after 15sec…
    [COMM][TcpConnect] line[701] getaddrinfo error host.nightowldvr04.com, 80: Name or service not known
    [NET][TutkPushRegServ] line[6950] tutk pushreg fialed
    [COMM][TcpConnect] line[701] getaddrinfo error host.nightowldvr04.com, 80: Name or service not known
    [NET][TutkPushRegServ] line[6950] tutk pushreg fialed
    [COMM][TcpConnect] line[701] getaddrinfo error host.nightowldvr04.com, 80: Name or service not known
    [NET][TutkPushRegServ] line[6950] tutk pushreg fialed
    [NET][AlarmTUTKPushThread] line[7466] tutk reg faile !
    Calling IOTC_Device_Login() ret = -41, UID[BGT8FTFD7C2GUJW4111A]
    No Internet, error[-41]!! Reconnect after 15sec…
    Calling IOTC_Device_Login() ret = -41, UID[BGT8FTFD7C2GUJW4111A]
    No Internet, error[-41]!! Reconnect after 15sec…
    Calling IOTC_Device_Login() ret = -41, UID[BGT8FTFD7C2GUJW4111A]
    No Internet, error[-41]!! Reconnect after 15sec…
    Calling IOTC_Device_Login() ret = -41, UID[BGT8FTFD7C2GUJW4111A]
    No Internet, error[-41]!! Reconnect after 15sec…
    [COMM][TcpConnect] line[701] getaddrinfo error host.nightowldvr04.com, 80: Name or service not known
    [NET][TutkPushRegServ] line[6950] tutk pushreg fialed
    [COMM][TcpConnect] line[701] getaddrinfo error host.nightowldvr04.com, 80: Name or service not known
    [NET][TutkPushRegServ] line[6950] tutk pushreg fialed
    [COMM][TcpConnect] line[701] getaddrinfo error host.nightowldvr04.com, 80: Name or service not known
    [NET][TutkPushRegServ] line[6950] tutk pushreg fialed
    [NET][AlarmTUTKPushThread] line[7466] tutk reg faile !
    Calling IOTC_Device_Login() ret = -41, UID[BGT8FTFD7C2GUJW4111A]
    No Internet, error[-41]!! Reconnect after 15sec…

    Love the misspellings for their console output – “Fialed” (I should talk – I suck at typing, I’m a bass player)

    As I mentioned – a 5 hour run with a port mirrored Wireshark session shows no connection to the web. It be all confoosed with null for a gateway and DNS…

  21. BTW – if anyone wants to see the full logs pre and post null settings email me. My email is on my link to my webpage They’re quite interesting….

    As i mentioned before, they should not be using Linus for this stuff. Yea, they’ll patch their busybot firmware, but really… there’s no need to run a GP Os on this kinda stuff.

    http://www.ajawamnet.com

  22. Any advice on how I can fin a DVR that doesn’t have components from XiongMai in it?

    thanks

  23. What really ticks me off is that I have warned people of this while doing Qualifications (audit on steroids). Many companies lack the administrative personnel to make the proper IT calls on removal of this crap. Mind you even if they do remove it, what are the viable alternatives that are cost effective and easily integrated?

    It’s always easy to say something sucks, not as easy to find a solution to the problem. There is also the factor of investing in right people to monitor, secure and maintain the network. Which I have to say, is difficult to do when there is such a fatty layer of figureheads in IT director positions.

    One last thing. While doing a qualification of a WAN I sent I sent an envelope with tests for routers and switches, a camera, and a pen to fill out results to a branch in Beijing. (We do this to ensure the testers cannot claim they could not find one and therefore not complete a test) The envelope was stopped by customs in China. It was stripped and our personnel were asked why they could not use a pen made in China and why they could not use a camera made in China. So this blind trust we have in China is not reciprocated. How many times do we have to get burned before we smarten up?

  24. If the mafia had a internet security company they would launch attacks until everyone subscribed. And occasionally after that to keep everyone in line. Just sayin’

    Not an expert

  25. On the bright side, many of those consumer grade IoT devices use low quality components and they will gradually disappear from the Internet as they fail. It will take several years, and in the meantime countries should establish customs screening to keep vulnerable IoT devices out of their domestic markets.

  26. Interesting that none of this seems to be impacting Apple’s IoT products (HomeKit). Apparently the “walled garden” is a safe place to be these days.

  27. Idealistic proposals and fantasy won’t work. Only one approach will. Any hacker with Bot Net experience could build a Bot that logs in to any unsecured devices and changes the settings/password to secure that ip. It would be a Bot Net attack in reverse. That is the only way to quickly attack and solve the problem. It may brick some devices but the alternative is nationally suicidal. Is anyone here qualified to do it?

  28. If the IoT devices can be identified and hacked to serve the DDos purposes, why couldn’t a similar system exist that identified and either inoculated or simply shut down the same devices?

  29. very interesting, billLee, it does exist, check out http://www.cybersecuritysalary.org/


#####EOF##### Alleged Child Porn Lord Faces US Extradition — Krebs on Security

22
Mar 19

Alleged Child Porn Lord Faces US Extradition

In 2013, the FBI exploited a zero-day vulnerability in Firefox to seize control over a Dark Web network of child pornography sites. The alleged owner of that ring – 33-year-old Freedom Hosting operator Eric Eoin Marques – was arrested in Ireland later that year on a U.S. warrant and has been in custody ever since. This week, Ireland’s Supreme Court cleared the way for Marques to be extradited to the United States.

Eric Eoin Marques. Photo: Irishtimes.com

The FBI has called Marques the world’s largest facilitator of child porn. He is wanted on four charges linked to hidden child porn sites like “Lolita City” and “PedoEmpire,” which the government says were extremely violent, graphic and depicting the rape and torture of pre-pubescent children. Investigators allege that sites on Freedom Hosting had thousands of customers, and earned Marques more than $1.5 million.

For years Freedom Hosting had developed a reputation as a safe haven for hosting child porn. Marques allegedly operated Freedom Hosting as a turnkey solution for Web sites that hide their true location using Tor, an online anonymity tool.

The sites could only be accessed using the Tor Browser Bundle, which is built on the Firefox Web browser. On Aug. 4, 2013, U.S. federal agents exploited a previously unknown vulnerability in Firefox version 17 that allowed them to identify the true Internet addresses and computer names of people using Tor Browser to visit the child porn sites at Freedom Hosting.

Irish public media service RTE reported in 2013 that Marques briefly regained access to one of his hosting servers even after the FBI had seized control over it and changed the password, briefly locking the feds out of the system.

As Wired.com observed at the time, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”

Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. FBI investigators told the courts they feared he would try to destroy evidence and/or flee the country. FBI agents testified that Marques had made inquiries about how to get a visa and entry into Russia and set up residence and citizenship there.

“My suspicion is he was trying to look for a place to reside to make it the most difficult to be extradited to the US,” FBI Special Agent Brooke Donahue reportedly told an Irish court in 2013.

Even before the FBI testified in court about its actions, clues began to emerge that the Firefox exploit used to record the true Internet address of Freedom Hosting visitors was developed specifically for U.S. federal investigators. In an analysis posted on Aug. 4, reverse engineer Vlad Tsrklevich concluded that because the payload of the Firefox exploit didn’t download or execute any secondary backdoor or commands “it’s very likely that this is being operated by an [law enforcement agency] and not by blackhats.”

According to The Irish Times, in a few days Marques is likely to be escorted from Cloverhill Prison to Dublin Airport where he will be put on a US-bound flight and handcuffed to a waiting US marshal. If convicted of all four charges, he faces life in prison (3o years for each count).

Tags: , , , , , , , , , ,

91 comments

  1. With any luck he’ll end up in a prison with crappy security and a population that knows who he is and what he did.

  2. That is one sick puppy

  3. I think that for once, the comments calling for something bad to happen to this individual might be justified.

  4. Thank you for this update. Let’s get this case going.

  5. For those of you endorsing violence in prison against this invidual, just think about what you are accepting. Have you really considered that you, your kids, or your friends could also possibly end up in the same prison system where it is acceptable or condoned for prisoners to be assaulted?

    • Well, if they were doing this to children, then YES!

      • Well then why dont we just change the laws and have the courts sentence them to physical torture and rape? The price people pay for crimes committed should be the price of the sentence prescribed by the courts, not vigilante justice. If you actually think that people convicted of crimes should be tortured and beaten up as part of their punishment, then pass laws that sentence them to that. It is not the job of convicts, prison guards or police officers to dole out punishment. The punishment is for the courts to decide, and if that not good enough, then change the laws.

    • If any of my relatives do what this guy did, then my relatives would get what they deserve.

      • Valarie Crockett

        And will you not be just as bad as your relative and deserve punishment for your wrong doings Maybe s councilor could help explain why people look at porn in the first place. Some people need help not to turn your check the other way.

    • Yeeahhh normally I’d agree with you, but not this time.

    • Sarah Everidge

      To condone violence against others as a solution is never going to work

      • Violence tends to cause more violence so even if it should technically solve a problem in most of the cases it still isn’t wise to use violence. If you are categorically against violence I respect you and if society treats even a monster like a human being I am proud about that. But in case of child pornography if violence happened against someone who did it or who profited from it I wouldn’t be unhappy if society collectively turned around and allowed someone punish the ones who ruined countless lives that just had begun for them.

        • This days we don’t really know who are those criminals. If they have a background activity of doing something or not. Some of them are really know how to hide from authority and it is sad that our children might be a victim. I just found a website that can search your name online if you have dome something illegal in the past. It has free back ground checks here is the link https://www.checkpeople.com/background-check

    • if anyone close to me, no matter the relation, did this, and i found out about it. they would be lucky to survive long enough to go to jail. this is the most one of the most sickening things imaginable. absolutely no sympathy for these vomit inducing scumbags.

    • Have you considered if the victims were your kids? Anyone who does this to children, family or not shouldn’t receive any compassion. This is absolutely unacceptable, and if a family member did this to any children, I would personally impose physical discomfort on them and assist law enforcement as needed to ensure they stay locked up behind bars. So sickening!

  6. Aside from the obvious outrage over this sleazy individual and his “line of business”, I am somewhat disturbed over Firefox having such backdoor! Did anyone else notice that “little” nuance?

    As much as I like the fact that it helped FBI to catch this guy, I am also appalled that it will help assist “strongmen” in Russia, Turkey, China, Iran, Venezuela to go after political opposition and dissidents. That should not be allowed, Mozilla foundation!

    • It was a zero-day vulnerability that had been patched by the time the story broke (I think it was even patched in the latest Tor Browser during the investigation, but not everybody had updated) and required JavaScript to be enabled (a bad security practice that I do not know why the Tor Project engages in by default).

      • Technically recent copies of Tor Browser ship with noscript enabled in whitelist mode where all scripts are disabled by default and must be explicitly enabled one by one. Most modern websites are broken with javascript disabled which is why the option to enable it is included instead of a blanket enable/disable option (which would, arguably, be far worse than the finer toothed noscript option). Not sure about the timeline, noscript may have been started to be included in response to this exploit.

  7. I’m more than a little confused on the technology here. Was this a website on a traditional server that somehow shows up as an onion website?

    • It existed on the Internet but the website could not be accessed via a usual Internet address (“clearnet”) but only via an overlay network called Tor; it *was* possible to administer it via its IP address (not over the Web, but over other protocols like SSH), but things like vhosts can be set to disallow Web access without using the proper hostname, and it is not possible to get an IP address from a .onion domain (hidden-service name).

  8. The Sunshine State

    One of the worst federal charges that you can get nailed with is “Child Porn” Their is absolutely no defense if the fed’s do a hard drive forensic and find illegal images ” stick a fork in you , you are done !”

  9. Dear FBI, your miserable attempts to track us down and arrest us will be rendered hopeless as Internet and money becomes more and more decentralized, more and more anonymous.
    I will devote the rest of my life to fighting for the freedom of countless individuals who wish for only one thing in their lives – privacy and liberty.
    Just who do you think you are anyway to sit there in your rotten departments of (in)justice and make plans on how to arrest citizens for browsing the internet?

    We the freedom fighters will never let you seize our freedoms and individual liberties.

    You can make exploits, we will make security systems.
    You can keep tracking us, we will keep anonymizing ourselves.

    Encryption is on our side.
    Human will is on our side.
    Liberty is on our side.
    We will be victorious.

    • So… I guess prepubescent children don’t deserve any of the freedom you claim to be fighting for.

    • Anubis = the Egyptian god of mummification and the afterlife as well as the patron god of lost souls and the helpless.

      Apparently this wannabe freedom fighter is focused on the lost souls versus the helpless.

      In any case he’s a troll.

    • “We will be victorious.”

      No, you won’t.

    • Mighty Anonamouse

      Dear TORTURE OF CHILDREN, your miserable attempts to ESCAPE us – will be rendered hopeless as Internet and money becomes more and more decentralized, more and more anonymous, MORE PEOPLE WILL GO DEEP TO GET YOU.
      I will devote the rest of my life to fighting for the freedom of countless individuals who wish for only one thing in their lives – privacy and liberty.
      Just who do you think you are anyway to sit there in your rotten CAVE of injustice and make plans on how to TORTURE CHILDREN for FUN?

      We the freedom fighters will never let you seize our CHILDRENS freedoms and individual liberties.

      You can HIDE IN exploits, we will make security systems.
      You can keep HIDING, we will keep FINDING YOU.

      TIME is on our side.
      Human will is on our side.
      Liberty is on our side.
      We will be victorious.

    • “… countless individuals who wish for only one thing in their lives – privacy and liberty.”

      That’s two things.

    • You forgot about the most powerful advocate of children. JESUS CHRIST LORD.OF LORDS and KINGOF KINGS.

    • You are an IDIOT!
      Your stupid liberty bell argument has no merit. You have no common sense, I take it you are one delusional mind. And can you tell me just what in hells name you do on the internet that has you thinking your some freedom fighter of privacy! Unfortunately the world is a sick sick place and those evil people took our privilege of privacy online away. These are innocent children and have more of a right then your internet privacy to be safe! So suck it up buttercup. You are being watch get use to it, so pick the right fight to fight! Your head is twisted and you ain’t Superman and no you can’t fly!!!

  10. Harry Johnston

    So far as I can tell, the alleged crimes took place while the accused was in Ireland. Why is he being extradited to the US?

    • The story linked at the bottom of the piece goes into that question in detail.

    • Short answer: The FBI had the evidence against him. They have much more credibility in US courts. Irish prosecutors declined to charge him so the courts would send him to the US where he’s *much* more likely to be convicted.

    • ” Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. ”

      US citizenship means he is subject to all US laws, no matter where he is.

  11. The real porn lords are the elite like the Rothschilds, Rockefellers and Jesuits. This is just a fall guy that provides them with “throwaway” children they eat after sodomizing and drinking their blood to stay young. When it doesn’t work anymore they get a replacement body. The secret tech is very close to what we see in science-fiction which is really non-fiction. Truth is stranger than fiction. They lie about everything else. Why not that too?

  12. “Government says…”
    “Investigators allege…”

    What does the evidence show? What is the defense saying?

    It’s all well and good to report on convictions and the legal process, but what is the public interest being served by repeating salacious allegations from government thugs or name-calling the defendant for a headline?

    Btw, calling child abuse imagery “porn” diminishes its seriousness. The legitimate porn industry helped build the Internet (1). Real porn is gross, but harmless. This crap, however, is a symptom of despicable abuse, and should be called as such: recorded images of child abuse.

    That said, this case is nonsense. Even if the guy did everything alleged, it wasn’t in the US and he wasn’t in the US. The search warrants will be tossed out or it’ll end in a plea. It’s obvious that the FBI utilized NSA expertise and they’ll want to keep that out of the public record. No way this gets to a jury.

    (1) google it.

    • Apparently you missed “Marques, who holds dual Irish-US citizenship”, and you didn’t read the Irish Times article that Brian pointed to and you are not familiar with US Extraterritorial jurisdiction (ETJ).

      There are certain crimes that US citizens can be held accountable and indicted, no matter where they are perpetrated.

      Also, extradition treaties come into effect.

      Consider El Chapo in Mexico may have never set foot in the US. So using your logic, he could never be held accountable and tried in the US. But that’s not how the system works.

      • The only reason Ireland is surrendering Marques is their inability to do anything useful with the illegally obtained information gathered by the FBI, while not wanting to appear lenient regarding child abuse imagery.

        Unlike Guzman, Marques is not alleged to have done any crimes, or directed crimes be done, in the US. The FBI was completely out of their authority to remotely investigate this case.

        Guzman’s activities directly affected Americans.

        US authority doesn’t extend into other countries when crimes don’t affect Americans. A long string of Supreme Court rulings have knocked down laws seeking to punish people who do bad things overseas. (1)

        The process here is an attempt to circumvent the Irish jury system and intimidate Marques to plead guilty on arrival to the US. It will probably never reach a US jury, as it offends Americans’ sense of justice to consider illegally obtained evidence.

        (1) http://cornelllawreview.org/articles/what-is-extraterritorial-jurisdiction/

        • “US authority doesn’t extend into other countries when crimes don’t affect Americans.”

          Ah, so none of the abused children were Americans. Is that right? It’s not mentioned in the article. And even if that were the case, are American children worth more than non-American children?

          It seems him having US citizenship is enough to grant them jurisdiction, and I’m OK with that.

        • “it offends Americans’ sense of justice to consider illegally obtained evidence.”

          Haha, you can’t be serious. Obviously, you haven’t seen much of our justice system in action.

        • The US does have jurisdiction to investigate crimes involving the hosting of child pornography. See link attached. He ran the websites, so yes he should be (and could be) investigated.

          • Further Thoughts

            He did not run the websites. He owned the website hosting company. That’s like the difference between a person who makes threatening phone calls and the person that runs the phone company.

            • In what scenario is it ordinary business conduct for a “phone company” to collect images of child abuse or encourage criminals to collect more?

              This guy is alleged to be far more than a hosting provider. What evidence do you have to contrast that?

            • BowB4RightNotMight

              Sir;

              This is not a good comparison and you should be ashamed of yourself for spreading that kind of rhetoric. I hope you do not have children or children in your family. The guy hosting company was exclusively designed to hide CHILD PORN. You comparing this guy to a regular phone company that is designed for public communication and is sometimes used by A$$holes to make pranks.
              I won’t judge you but I hope you were just being an A$$hole yourself and you didn’t mean it like how it sound.

  13. As much as I would like to see this individual suffer in some direct physical sense, the civilized part of me will be satisfied if he is consigned for a LONG period of time to the Supermax in Florence, Colorado. For those not familiar with that prison, it’s been described as a living death, and rightly so.

  14. HA! HA! More than one can play at this “hacking” game! Kudos to law enforcement for using the tools at hand!

  15. So basically, all he did was provide VPS’s on Tor? Standard nothingburger from the FBI baby-killers.

    Did Eric Eoin Marques burn 17 little children alive?

  16. Thinking Further

    Eric Eoin Marques was not running the porn sites — he ran Freedom Hosting, an internet website hosting service that had 30,000 or more sites. Of those, the FBI claims 100 sites had child abuse images. Marques ran his business by himself. His terms of service stated that his customers could not upload anything illegal onto their sites or use their sites for any illegal purpose. He also had a privacy policy that he did not look at or go onto the sites being hosted on his servers. Holding Marques responsible for the contents of his customers’ websites breaks new legal ground. This is like holding Amazon Web Services responsible for the contents of all the websites on AWS or holding Twitter responsible for all the tweets, pictures, and videos tweeted by the millions of Twitter users. The FBI has called Marques the largest facilitator of child porn , which has been effective at getting the public to rush to judgement. In reality, he is a guy with Asperger’s syndrome who had a tor website hosting company in his bedroom, and 100 of the more than 30,000 sites were run by customers taking advantage of the situation to run sites with child porn. No one has suggested exactly how he was supposed to ferret out those abusive sites. Amazon Web Services also does not allow illegal content, but it refuses to remove illegal content that is reported to the company, which is a complex, obscure, and difficult process, unless there is a court order stating the content must be removed. In other words, AWS handles illegal content by ignoring it, even if it is reported, unless there is a court order stating it must be removed. The FBI never tried going to Marques with a court order stating which sites were to be removed, but instead, arrested him and charged him with crimes, as being responsible for the content of all the websites on his web hosting service. This breaks new territory in US internet crime prosecutions. Is the DOJ going to hold AWS, Twitter, Facebook, and all the internet giants responsible for all the content posted by all of its users? If not, exactly why are they doing that to this one guy from Ireland? Maybe that will be explained in this court case.

    • Is a diagnosis of Asperger’s an affirmative defense to anything?
      Seems he was very high functioning if true.

      We do not know if he was checking the contents of those he was hosting or not. Likely he was observed remotely or there is other evidence he was involved in more than hosting.

      One wonders if the following is true, why he would do such a thing, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”

      What was so precious on that laptop?

      With the Cloud Act having been passed a year ago, the feds likely have much more information available than has been publicly released to date.

      https://money.cnn.com/2018/03/23/technology/spending-bill-microsoft-lawsuit-supreme-court/index.html

      • A person can dive for any number reasons, including to avoid the explosive end of an agent’s firearm. It doesn’t prove ownership or intent or guilt.

        As for the law you mentioned, it came years after this guy was arrested. Doesn’t apply.

    • Random Thoughts

      I think you hit the nail on the head. I was looking for information in this article that might highlight what he was doing instead of what the DOJ wants people to read. Admittedly I didn’t read the linked articles but it does appear you are right. He ran a hosting service that simply did not shutter some sites run by other individuals. Those are the people I want to see shut down. Not a hosting provider that has sites that Governments don’t like.

      I am conflicted because he likely isn’t cooperating with investigators to close down the sites that SHOULD be closed. Possibly because the US Government would want other sites closed because they harm big companies or share secrets the government would like to not be shared.

      But I don’t think we should rush to judgement that he or anyone should be harmed in jail just because a DOJ PR report said they did something so horrendous we don’t want to think about it. DOJ has been wrong before, and this piece appears to be another example if he was a web site hosting company and not actually involved with or visited or even received complaints about the offending sites.

      • Further Thoughts

        Thanks for thinking logically. As exlained in many news stories, when the rented server used by Marques was taken down by the FBI, all the sites on it were taken offline.

        And the story gets better still. Supposedly some of these alleged child abuse image sites are actually Japanese manga or other cartoons. That’s why it’s so important to see what the evidence actually is.

        • Thinking Further, Random Thoughts, and Further Thoughts. Are you three somehow related, having a “discussion” of talking points you’ve already agreed on?

          • Oh I don’t know, Steve, are WE the same people?! Are WE just having a discussion within ourselves?! The internet may never know…

            • Oh Steven, you silly, silly man. Wait… is this the same Steve or are there now THREE OF US??!!

              • Come on Steve, they are all one person and it is you and I who are different. Or… what if… even ALL of us are the same person?! MY HEART CAN’T HANDLE THIS SITUATION!!!!

        • Can you cite to this research, so we may also read it?

          In regards to the CP sites actually “only hosting Japanese Manga or other cartoons”.

    • He would have known about the childporn sites in 2011, when Anonymous started Operation DarkNet and was DOS’ing his hosted sites.

    • You have it all wrong. In some of the other research and articles about Freedom Hosting, Marques clearly knew what servers and sites his clients were hosting (CP) and still continued to let them operate on his hosting and in some cases even helped them to avoid takedowns or LE operations.

      He is not some innocent random guy who ran a website hosting company as you claim. He knowingly helped to host CP and disgusting sites and keep them online.

      • Further Thoughts

        Can you cite to this research, so we may also read it?

        • Sure thing. He was fully aware of the content he was hosting and actively marketed it as such.

          https://thegoldwater.com/news/29059-World-s-Largest-Facilitator-of-Child-Porn-will-be-Extradited-to-the-US-to-Face-Justice

          “Prosecutors say that Marques was born in the United States of America, but that he’s an Irishman who fled the United States of America to set out upon a profitable venture on the internet with the intention of targeting child pornographic distribution networks in order to make his fortune, and that’s what the FBI says he did.”

          “The Federal Bureau of Investigation participated with coordination of the low-key raid on Marques, where for years he’d bragged to the pedophiles using his services that he was untouchable.”

          “The argument from the FBI is that Marques was fully aware of what he was doing; knowing that child pornography was being hosted on his services and that he was profiting from this.”

          • Thank you.
            Unimaginable that people treat the worse child abuse so lightly.

          • Buncha Malarkey

            You should consider getting your information from more reliable sources . He “fled” the United States at the age of 4 because his parents moved back to Ireland and imagine this – they took their 4 year old with them. He is only a US citizen by birthright; neither of his parents is a US citizen and he lived only a few years in the US, as a young child.

    • IF that is the case, then it will set and change precedent and you’d see Facebook, Twitter et al flip their lids over it. I seriously doubt that is the case.

    • BowB4RightNotMight

      You sound like you were one of his users sir; If he have a 100 child porn sites on his hosting server ? what are the other websites advocating? It surely cannot be religion. You make no sense. You wrote an entire essay to justify why a Child Porn advocate should is innocent? Is that what this essay is about? #BowB4RightNotMight

  17. I’m confused. How can the FBI have jurisdiction here?

    Unless the pedo-websites were actually hosted in the US or the operator resided in the US, the FBI should not be involved as it is a national bureau of investigation with jurisdiction in the US alone. Eric Eoin Marques lived and operated the site from Ireland.

  18. To echo the comments of ‘Thinking Further’ above.. There was a lot of collateral damage when Freedom Hosting was shut down. I don’t think many people realized how many (non-porn) Tor sites were running on Freedom Hosting until it disappeared.

    If Marques was knowingly hosting child porn sites, that’s a problem that needs to be dealt with. I’m not sure that we can jump to that conclusion.

    It’s not clear whether, or to what extent, he knew what was being hosted. An ethical hosting provider does not go sifting through the contents of their customers’ data. If they receive an abuse complaint, they are aware at that point and have a duty to respond. It’s doubtful that the child porn sites identified their hosting provider, and due to the nature of Tor there was no other way of identifying and contacting the provider. It’s highly unlikely that Freedom Hosting was notified of the content.

    This is likely a case of the Marques taking the money and looking the other way, but pursuing criminal penalties for child porn/abuse appears to be inappropriate.

    • He had to have known he was hosting childporn by 2013. Anonymous started DDOS’ing those sites in 2011 as part of Operation Darknet. To say a hosting provider wouldn’t be aware of the systems issues and the publicity surrounding it is just not credible.

      https://www.bbc.com/news/technology-15428203

      • Further Thoughts

        The article you linked does not back up your claims. It is not likely their efforts, which were crimes in themselves, knocked anything off tor, let alone any specific offensive sites. Just because someone called calling themselves Anonymous claims to be doing something does not mean it is actually happening.

  19. “The sites could only be accessed using the Tor Browser Bundle”

    This isn’t strictly true, you do need to use Tor, but you can use that with any browser if you have the service running on your computer. The Tor Browser is just a tool that make Tor easier to use.

  20. Look at you all. This group has abandoned all common decency and is quarreling over a Firefox back door. Forget the kids, who were TOTURED and RAPED, let’s get mad about something that was probably designed to stop this sick industry. What happened to the children afterwards? Thought about that? Your internet god has removed all traces of decency in you all.

    • Not so, Charlie. Most children who become the subjects of child porn images and videos have this done to them by their parents, guardians, or other people in their lives who are in a position of trust. That’s why going after the creators of child porn, or those that run websites trading in child porn, makes sense.

      Putting criminal responsibility onto the man who ran a website hosting service, the terms of service of which clearly stated that no illegal contents were allowed onto the sites, makes little to no sense. If you want website hosting services to be responsible for the contents of all the websites on the host services, then no one will be able to be a website host.

      This is quite like holding the phone company responsible for everything everyone says on all phone calls. It makes no sense. Should the presidents of Iphone and Sprint be put in prison because teenagers are sexting and old men are sending dick pics?

    • And what about dissidents and people who are trying to fight government oppression who might be facing torture and death because of backdoors. Study the history of oppressive regimes and they often start with violations of civil liberties that are emotionally justified but then lead to abuses that include genocide.

      I would also add that in the US a person is innocent until found guilty by a jury. If you think vigilante justice works read “The Oxbow Incident”

    • Charlie, you’re wrong.

      This article is primarily about technology and a long-running legal case. The comments reflect this.

      Second, a comments section is not an appropriate venue for psychological support or victim pathologies.

  21. I wonder if this was leveraging the WebRTC exploit because all the info i read points to it.
    A lot of common VPN providers were also effected by this browser issue!

  22. So glad you reported on this development. At a time when the FBI seems to be under attack for political reasons, it is good to push a story like this to the forefront. Child porn, and those profiting from it need to be tracked down and held accountable.

    Thanks Krebs for keeping us informed. You do a great job.
    Respectfully,

    Kevin D. Eack

  23. @Brian

    > 3o [sic] years for each count

    You have an O where you probably should have a 0.

Leave a comment


#####EOF##### Coinhive Exposé Prompts Cancer Research Fundraiser — Krebs on Security

30
Mar 18

Coinhive Exposé Prompts Cancer Research Fundraiser

A story published here this week revealed the real-life identity behind the original creator of Coinhive — a controversial cryptocurrency mining service that several security firms have recently labeled the most ubiquitous malware threat on the Internet today. In an unusual form of protest against that story, members of a popular German language image-posting board founded by the Coinhive creator have vented their dismay by donating tens hundreds of thousands of euros to local charities that support cancer research.

On Monday KrebsOnSecurity published Who and What is Coinhive, an in-depth story which proved that the founder of Coinhive was indeed the founder of the German image hosting and discussion forum pr0gramm[dot]com (not safe for work). I undertook the research because Coinhive’s code primarily is found on tens of thousands of hacked Web sites, and because the until-recently anonymous Coinhive operator(s) have been reluctant to take steps that might curb the widespread abuse of their platform.

One of countless pages of images posted about this author by pr0gramm users in response to the story about Coinhive.

In an early version of its Web site, Coinhive said its service was first tested on pr0gramm, and that the founder(s) of Coinhive considered pr0gramm “their platform” of 11 years (exactly the length of time pr0gramm has been online). Coinhive declined to say who was running their service, and tried to tell me their earlier statement about Coinhive’s longtime affiliation with pr0gramm was a convenient lie that was used to helped jump-start the service by enlisting the help of pr0gramm’s thousands of members.

Undeterred, I proceeded with my research based on the assumption that one or more of the founders of pr0gramm were involved in Coinhive. When I learned the real-life identities of the pr0gramm founders and approached them directly, each deflected questions about their apparent roles in founding and launching Coinhive.

However, shortly after the Coinhive story went live, the original founder of pr0gramm (Dominic Szablewski, a.k.a. “cha0s”) published a blog post acknowledging that he was in fact the creator of Coinhive. What’s more, Coinhive has since added legal contact information to its Web site, and has said it is now taking steps to ensure that it no longer profits from cryptocurrency mining activity after hacked Web sites owners report finding Coinhive’s code on their sites.

Normally, when KrebsOnSecurity publishes a piece that sheds light on a corner of the Internet that would rather remain in the shadows, the response is as predictable as it is swift: Distributed denial-of-service (DDoS) attacks on this site combined with threats of physical violence and harm from anonymous users on Twitter and other social networks.

While this site did receive several small DDoS attacks this week — and more than a few anonymous threats of physical violence and even death related to the Coinhive story — the response from pr0gramm members has been remarkably positive overall.

The pr0gramm community quickly seized on the fact that my last name — Krebs — means “crab” and “cancer” in German. Apparently urged by one of the pr0gramm founders named in the story to express their anger in “objective and polite” ways, several pr0gramm members took to donating money to the Deutsche Krebshilfe (German Cancer Aid/DKMS) Web site as a way to display their unity and numbers.

The protest (pr0test?) soon caught on in the Twitter hashtag “#KrebsIsCancer,” promoted and re-tweeted heavily by pr0gramm members as a means to “Fight Krebs” or fight cancer. According to a statement on DKMS’s Web site, the KrebsIsCancer campaign involved donations from more than 8,300 people totaling 207,500 euros (~USD $256,000).

Update, 2:46 p.m. ET: Updated donation figures per statement posted today on DKMS site.

Tags: , , , , , , ,

68 comments

  1. The Sunshine State

    Stay safe Brian, don’t let the sc#m scare you

  2. This is an incredibly odd (but awesome) reaction from the pr0gramm community. Maybe the rest of your detractors will follow suit 🙂

    • Just a heads up to the many people trying (but failing) to leave comments here. If you wish to leave a comment, my suggestion is to do so without using extreme profanity, and to keep it on topic. The former will get your comment held for moderation, and the latter will get your comment removed or sent to /dev/null entirely.

      • Thanks for at least getting the numbers right.

        On topic / off topic: exposing real names of real people on the internet accusing them of… well… try that stuff in your home country and I bet a lawyer will stick it to you.

        • The 1st Amendment is a great thing!

          • The first amendment applies to government organizations, not private websites, and even then, hate speech, profanity, and defamation are not protected speech anyway.

            • Ah our good friend, but if you understood the laws of our “home country”, you would understand that “truth of statement” is a defense against libel and defamation claims. But go ahead and go play in that playground. There is also the concept of “discovery” in the process that can be compelled by writs of contempt, etc. So what is whispered in the ear, will be shouted from mountaintops, and what is hidden in darkness will be brought out into the light of day. It being Good Friday and all, I felt that was an apropos statement…

            • Hate speech is free speech though, just as much as profanity.

              As long as you’re not inciting violance it’s free speech. Why does noone get that?

              • Hate speech always leads to violence in the end. It isn’t any different that yelling “FIRE” in a crowded theater, which is not free speech either.(as long as there is no actual fire)

                • Brian Lopsitch

                  Thanks to Krebs for the research and the fun drama that ensued, and the interesting topics and debates that got expounded here and elsewhere.

                  Not sure if DOXing cha0s was the right thing to do, but it’s not clearly wrong either.

                  The root problem here began when WWW was corrupted to include executeable code. Those of us who have been involved in security for a longer period can recall when data was data and code was code. (Despite GEB’s record-player-breakers).

                  When Adobe began putting code into its postscript documents, I knew we were in for hell, which continued with the introduction of javascript to the WWW and now exploits everywhere, with every site you visit able to pwn you.

                  The time to address this was 25 years ago. Now i just watch the world burn.

                  • If your position is that we should do away with all executable scripts on the WWW to minimize attack surfaces then you might as well just argue that we should do away with all digital technology to avoid being hacked.

                • >Hate speech always leads to violence in the end.
                  >It isn’t any different that yelling “FIRE” in a crowded
                  >theater

                  Your analogy has no legal basis (in U.S. law where the first amendment is extremely strong protection).

                  Brandenburg v. Ohio, 1969.

                  Unless the speech advocates an imminent, dangerous action it’s protected.

                  “always…in the end” explicitly fails to meet that standard by it’s plain language.

                  • It is just my opinion, but I feel SOTUS erred in that judgement; but I can see whey they did it – because they likened it to similar calls to action made by people resisting tyranny. I disagree with their call on that. I can see calls to some kind of action for political reasons, but to do it because you hate a specific race, creed, religion, etc. their really isn’t an excuse in my book. I’ll never admit I’m wrong on that one.

                • Please give some evidence that hate speak always leads to violence. This is a bold statement and I for one have a hard time believing you can prove this with facts.

                  Defamation doesn’t apply if its not a lie, otherwise its just the truth and the TRUTH doesn’t care about your feelings.

                  Libel is the same as defamation.

                  Now if something was show to be intentional lies, then perhaps you could get somewhere, UNLESS your the media, in which case obama signed a law that made it legal for them to lie to you all day long. You can blame obama or not, up to you, just saying, facts.

                  Keep it going Brian..

        • Krebs does these kinds of “Who is…” stories all the time. Here are a few

          https://krebsonsecurity.com/?s=%22mind+map%22&x=0&y=0

          I don’t think he makes any distinction about whether people he tracks down are from the US, Germany or the South Pole.

          If the founders of programm really were that concerned about keeping their names a secret, maybe they shouldn’t have registered dozens of domains in their own name in PUBLIC whois records.

          For all the whining I’ve heard from the programm people over this, not one has stated a single fact that was incorrect in the story. Just a lot of complaining about the publication of “private” data that is anything but.

      • Unfortunately, it looks like leaving a comment in German gets past your profanity filter. 🙁

  3. Wow… People should protest like this more often. Seriously.

  4. Another way you are a force for good. 🙂

    • Thats some strange logic. This would mean that mass shootings are good, since the NRA profits because of selling weapons to teachers.

      • The NRA neither sells firearms nor directly benefits from their sale.

        • Sure glad you included “indirectly,” Pilgrim. (Hat tip to John Wayne) ‘Cause they sure are subsidized by the firearms manufacturers, who ironically, aren’t selling as many guns as they’d like these days.

  5. Wow. Well done, Mr Krebs. I hope this story is as good as it seems, “we call could use a little good news”. This is truly something to be proud of!

  6. Thanks for getting the numbers right – after people from that community pointed you the right direction.

    Ontopic/offtopic: What’s the deal with exposing real people to the internet by only accusing them. This is no security, but pure…well – try for yourself in your country of residence. Good luck in life!

    • People do this all the time in the US, how else do you think the “company” that paid Stormy Daniels got traced back to Trump’s long time lawyer? They tried to hide and obfuscate the origin of the funds but the entire sordid mess got uncovered and there are no big lawsuits aimed at the reporters who uncovered it.

      If you want to hide in the shadows, then hide in the shadows. If you want to come into the light then you’re going to have to come into the light. You don’t get to hide in the shadows and work in the light. You can try, but don’t be surprised when the light shines on you.

      • The light. You have read the bible a couple of times or are a big star wars fan. This much I can tell from reading this BS.

        • You would do well to avoid trying to psychoanalyze people using a language unfamiliar to you.

  7. Per your guidelines, you may want to remove the two German language quotes in your “Comments” section.

  8. The cynic in me has to wonder how much of the donations are actually from the ill gotten profits of Coinhive.

    Interesting tactic to play the dox victim after profiting from web server hacking. Either the pr0gramm community doesn’t care that the Coinhive hacking activity is illegal or they are really low intelligence. Or both.

    • > … from the ill gotten profits of Coinhive.

      His story successfully clouded your mind. You and several others here don’t seem to understand anything. Krebs investigated Coinhive because earlier this month hackers copied Coinhive code, hosted it on their servers and hacked tons of sites to load their code. Google it.

      • It appears several of you (Jimmey, Krebsistan?, Johnny, o, BearGear, Niklas) have missed the paragraphs excerpted below, especially the last one. If you know that what Troy Mursch or Krebs state is not true, then that should be your complaint and then correct the factual errors. But you don’t dispute anything, just complain.

        //Quote
        Coinhive does accept abuse complaints, but it generally refuses to respond to any complaints that do not come from a hacked Web site’s owner (it mostly ignores abuse complaints lodged by third parties). What’s more, when Coinhive does respond to abuse complaints, it does so by invalidating the key tied to the abuse.

        But according to Troy Mursch, a security expert who spends much of his time tracking Coinhive and other instances of “cryptojacking,” killing the key doesn’t do anything to stop Coinhive’s code from continuing to mine Monero on a hacked site. Once a key is invalidated, Mursch said, Coinhive keeps 100 percent of the cryptocurrency mined by sites tied to that account from then on.

        Mursch said Coinhive appears to have zero incentive to police the widespread abuse that is leveraging its platform.

        “When they ‘terminate’ a key, it just terminates the user on that platform, it doesn’t stop the malicious JavaScript from running, and it just means that particular Coinhive user doesn’t get paid anymore,” Mursch said. “The code keeps running, and Coinhive gets all of it. Maybe they can’t do anything about it, or maybe they don’t want to. But as long as the code is still on the hacked site, it’s still making them money.”
        //End Quote

        • Yes, the best medicine for ignorance is education.

        • Then read Nohard Fealings’ reply further down, that should be the top comment IMHO.

          • Nohard Fealings’ reply further down, that should be the top comment IMHO.

            …why? Most of that comment is nothing but posturing – and the few actual claims it makes are factually incorrect (E.g. the claim that Coinhive can’t block execution of the code on hacked sites).

    • “The cynic in me has to wonder how much of the donations are actually from the ill gotten profits of Coinhive.”

      The cynic in you doesn’t know anything. I don’t say, that what mr. Krebs said about the connection of cha0s and coinhive is not true, but as far as I know, none of the normal users of the pr0gramm even knew, that cha0s tried out his script on the website. So why are you trying to put this great demonstration in a bad light? Each and every cent of the money(as far as I know its already over 300k€) was hard earned and I won’t let someone like you spit on a great community like this. Shame on you.

  9. The story about this even reached German public television news (“Tagesschau”).

  10. Honestly i didn’t think this could on my nerves again after the protest. Not only are your fans acting like this is you who has done something good. No, not even an apology or acknowledgment of any kind from your site. I’m glad theres atleast an article about this, but it just feels like flat air. Some way to clear your name perhaps? I don’t know. At last i want to say, I would like you to put more work on your research and get important facts out not some bliberish you heard from one user of the site. I mean for gods sake, for instance, how was Gambs foot fetish in any means necessary for the coinhive report?

    • Schwingerkonig

      @BearGear: You want an apology from Brian Krebs? Are you serious? What for? For his investigative journalism he carried out over all those years? Have you even bothered reading his book “Spam Nation”? That is more than just copy paste. I guess, our overhyped Bruce S would fit into the “copy paste” section, at least as far as his last book is concerned. (A compilation of articles, plus some drivel.)

  11. Well they sure are showing you!

  12. Awesome. Not sure if its the haters or the reconcilers, but either way the Coinhive stories are making several things better. A just cause has money, a program being abused and getting corrections. And facts that there is no real/lasting anonymity is hitting home for some kids. The worst and best people of pr0gramm are showing their true colors.

  13. Trying to claim this as your victory after your shoddy first article really does not speak well for your character Mr. Krebs.

    • Sorry, but where do I claim this as “my victory”?

      I can’t help think that most of the angry comments from readers in these past two Coinhive stories come from people who a) don’t know how to read properly and/or b) don’t ever let inconvenient or unlikable facts influence their understanding of reality.

      • You keep up the Good work Brian, Sir! Maybe tick off more people in the future that will donate to another good cause. BTW, folks, money has no smell, and the Good Lord uses Caligula as well as Mother Teresa for His purposes, can we get an Amen!

        • Well, Mother Teresa also is long exposed for the person she was. Not sure if you tried to say the Good Lord uses people good and bad alike, or if you deliberately chose two really bad people to show the Good Lord uses the openly bad as well as the wolves in the pelts of sheep.

          And okay, you get an Amen because it is Easter / Passover:
          Amen

      • Keep up the good work Brian. Some people “doth protest too much, methinks”.

      • don’t ever let inconvenient or unlikable facts influence their understanding of reality.

        A better description of the alt-right movement there is not.

        • Funny, I find the exact same thing is true about neo-liberals/regressives. And I’m not even alt-right!

  14. I hope someone in journalism school follows in Brians’ honorable footsteps by changing their name to amyotrophiclateralsclerosis so there is more funding to address that disease.

  15. I was quite astonished (or amused) to see that you even made it into the headlines of the Swiss daily newspaper “Tages-Anzeiger” (also called “Tages-Anlügner”) https://preview.tinyurl.com/y8q7wg7n, a kind of British “Guardian” surrogate. Obviously, the journalist who wrote his article (no name mentioned, BTW), had no idea who you are. Well, as they say: Ignorance is bliss. Generally speaking, you are not known in Switzerland. Let’s not even mention Western Germany.

    Yet, with a bit of research, that article would never have appeared, above all not with such an expletive headline.

    I am a long time follower of your blog and even purchased and red your excellent book “Spam Nation”, but I am probably the only one. Yet, it missed the Coinhive thing altogether and did not know this Western German “pr0gramm.com” website. As a Swiss, I obviously do not care about what happens in the Western Zone.

    Keep up your good work. Your blog is one of the best security blogs. My posting as a reaction to the “Tages Anzeiger” article: https://preview.tinyurl.com/y9s7vfsy.

    • Dear Peter,

      please do not state that BrianKrebs is unknown in Germany. The site is actually very well known in the Security Community and German IT-News sites regularly cite his articles.

      Regards
      Bernhard

  16. Nohard Feelings

    Nobody is criticising you for being investigative. You worked thoroughly and uncovered everything.

    1. You were criticised, because you published data which did not serve a purpose. For example the foot fetish. You could have simply left that out of your article, because it didn’t add valuable information.

    Of course, you only connected publicly registered data sets, but those connections are considered personal data and are protected by German law. Problem is, you connected the dots, so technically the data has been available all along, but in fact it was not available in the context of pr0gramm and coinhive. I understand that the publication of all your findings is considered best practice in US journalism. This is significantly different in Germany, where a journalist would only publish as much information as needed to prevent vigilantism.

    You put bystanders in the spotlight with all their personal information, although they were not your most wanted “criminal”. This is what you should apologise for in my opinion.

    2. Labelling Coinhive malware is debatable. You did not point that out, perhaps because you don’t see any room for discussion. But in fact there are people willing to mine in exchange for an adfree experience. Coinhive did not encourage hackers to use their code, but it encouraged their customers to tell their visitors about the mining script. No data is stolen, nothing gets infected and nothing gets damaged, so I do not understand the term malware in this case.

    Of course, in the criticised version, the code was executed without any consent from the visitor. But this is also the case for every flash ad. Unless you block it which you can do for miners too.

    3. You criticised the payment methods. At first, I have to tell you that I see no problem with Coinhive getting a revenue. Then you wrote: “When they ‘terminate’ a key, it just terminates the user on that platform, it doesn’t stop the malicious JavaScript from running” and this is where I totally don’t get you. How would you change it? Of course this is the way it is. When you jump into a river with your trousers on they will get wet. When you put code on your page, it will be executed, unless you block it.

    You could demand that all the remaining earnings should be donated or something. But I see no needs for your accusations.
    _______

    tl;dr

    People are angry, because you blamed the wrong guys and published their personal data, though it did not serve your purpose. And you are exaggerating the “crime”. We are talking about a cryptominer, not a trojan.

    • There is a pattern here that seems to be most visitors to this site in the US agree with the article being appropriate and well researched. Many of those outside the US see fault in it. But it would also appear that those that complain were somehow affected negatively. I was not affected in any way other than finding this an interesting story about a possibly good service was being misused by some for personal profit (Putting the code on sites without permission). I also agree that if the company is made aware of the abuse, that they not only need to cut off the abuser, but inform the site owner and/or stop allowing the code to generate profits. If it were me, I would attempt to send the abuser’s share of the profits to the site owner or failing to be able to do that, donate it to a charity.

      An ethical person has the option to not profit from abuse or crime. While this happens quite a bit in the US, there are also many who will not accept this “easy money”. I am such a person and I know there are others, even if we are not in as great numbers as I like to think we are. Perhaps it is because we can “afford” to hold these values and for that reason I do not judge others harshly.

    • 1. You were criticised, because you published data which did not serve a purpose. For example the foot fetish. You could have simply left that out of your article, because it didn’t add valuable information.

      …seriously? The only mention of that is a single item in the mind map image, in text which is invisible to Google & the article text itself doesn’t contain a single instance of the words “foot” or “fetish.” That detail is also not the basis for any of the article’s conclusions. It’s also worth mentioning that the only place that info can be found in plain text is in the comments from you and apparent pr0gram/coinhive apologists – so it’s actually Krebs’ critics who are making that information more widely-available by harping on it (Streisand Effect by-proxy).

      And if that’s egregious enough that it’s your primary issue with the article, then surely you can come up with more than one example – right…?

      Of course, you only connected publicly registered data sets, but those connections are considered personal data and are protected by German law. Problem is, you connected the dots, so technically the data has been available all along, but in fact it was not available in the context of pr0gramm and coinhive.

      If the bolded portion is true, that’s insane. It certainly isn’t the case under, say, PIPEDA (Canada’s privacy laws, which tend to be substantially stricter than those in the US). Under most sane privacy regimes, there’s a standard known as “legally reasonable expectation of privacy” – and when you make infomation publicly-available (say, by submitting to the public WHOIS database when registering a domain name), you forfeit that expectation.

      2. Labelling Coinhive malware is debatable. You did not point that out, perhaps because you don’t see any room for discussion. But in fact there are people willing to mine in exchange for an adfree experience. Coinhive did not encourage hackers to use their code, but it encouraged their customers to tell their visitors about the mining script.

      While I agree, and would have liked to see some clarification, it’s equally plausible that it wasn’t mentioned because the author assumed that the audience for a tech security news site would understand that distinction on their own (which seems to have been a reasonable assumption, E.g. Gabe Mouris’ comment on the original article).

      Though in this case, it seems to be a distinction without a difference – at least in terms of Coinhive’s service being used to exploit people’s computing resources without their knowledge/permission. And it’s also worth comparing to other tools that aren’t fundamentally malware, but can be used maliciously – E.g. VNC. Unlike Coinhive, most VNC distributions include functionality to prevent malicious use, or at least make it more difficult (E.g. displaying notifications when a connection is active).

      I’d also point out that there’s a line between an innocent platform provider whose services are being (ab)used by third-parties for malicious purposes – and a provider who is effectively facilitating malicious activity. I don’t claim that it’s clear-cut, or that I know precisely where that line is – but when a provider is aware of abuse of/via their systems it and fails to take any steps to prevent it (when doing so would be fairly easy & while ALSO directly financially profiting by allowing it to continue), it’s really hard to see them as having clean hands.

      No data is stolen, nothing gets infected and nothing gets damaged, so I do not understand the term malware in this case.

      By design, cryptocurrency mining uses as much CPU power as possible – and running at max CPU load for long periods of time isn’t exactly what I would call healthy for a computer, nor is it something that most computer systems (read: laptops, mobile devices) are designed to handle. That can lead to overheating, which most certainly can cause direct damage to CPUs, motherboards, etc – and indirect damage/data loss (mechanical hard drives generally don’t handle sustained high temperatures very well). Not to mention less-tangible harms, like lost time/productivity due to automatic shutdowns caused by overheating, or the Coinhive code making the computer more sluggish overall.

      Of course, in the criticised version, the code was executed without any consent from the visitor. But this is also the case for every flash ad. Unless you block it which you can do for miners too.

      That’s not a great analogy, since you’re comparing a runtime/platform (Flash) with a specific application (Coinhive’s mining script). A better comparison would be between Coinhive and a banner ad network that was fully aware of malicious ads being distributed through their system, and who consistently failed to take any effective steps to clamp down on existing abuse or prevent future abuse.

      Incidentally, I can think of at least one real-world example of that scenario: when Google got hit with a fine of several hundred million dollars for running ads for illegal pharmaceuticals. If Google was liable in that situation, then it seems like Coinhive should be even more liable for malicious use of their system – they’re essentially doing the same thing, if Google had received a cut of all individual sales of the illegal products they ran ads for – instead of getting paid for the ads.

      Then you wrote: “When they ‘terminate’ a key, it just terminates the user on that platform, it doesn’t stop the malicious JavaScript from running” and this is where I totally don’t get you. How would you change it? Of course this is the way it is. When you jump into a river with your trousers on they will get wet. When you put code on your page, it will be executed, unless you block it.

      That’s not an accurate description, because the Coinhive JS code doesn’t actually run ON the third-party sites that use their service – not in the sense that the actual mining code is present within those sites’ HTML code, or JS files that are part of those sites. Rather, a cursory Google search shows that Coinhive uses XSS (cross-site scripting), where the third party site only contains a link/reference pointing to a JS file/code on the Coinhive servers.

      I haven’t used Coinhive before, but a Youtube search for “How to add coinhive in your site” turns up a tutorial (I won’t link to it because it will likely get the comment held for moderation, but it’s the first result) – at about the 27 second mark, the video shows the embed code used to add Coinhive to a third-party site: rather than containing the actual mining code, it’s just a link/reference to authedmine[dot]com/lib/simple-ui[dot]min[dot]js (munged).

      In other words: because all of the actual mining code runs from their servers, it should be trivial for Coinhive to add a conditional check to their code to prevent it from executing for invalid/disabled API keys. Here’s rough pseudo-code for what that would take:

      if apikey is vald
      { //valid key, mining code goes here }
      else
      { //invalid key, error message goes here }

      tl;dr

      People are angry, because you blamed the wrong guys and published their personal data, though it did not serve your purpose.

      You appear to be claiming (and not for the first time) that there are factual inaccuracies in the article, yet you haven’t actually detailed any of them. Without specifics, those claims really don’t warrant any other comment.

      And you are exaggerating the “crime”. We are talking about a cryptominer, not a trojan.

      Depending on the trojan, malicious use of a cryptominer could arguably be worse. It’s making unauthorized use of the end-users’ computer resources (CPU, network, etc) in a way that directly generates reveue for the malicious parties – and Coinhive – while incurring extra costs for the end user (as a result of higher power consumption).

      That said, cryptojacking & trojans are not really an apples-to-apples to comparison. It’s a bit like saying “We are talking about getting mugged, not having your credit card skimmed.”

      • Nohard Feelings

        “Here’s rough pseudo-code for what that would take:

        if apikey is valid
        { //valid key, mining code goes here }
        else
        { //invalid key, error message goes here }”

        You are right. Because of moderation your answer reached me too late, sorry. It would work that way (and it does). I looked it up. So you can criticise the way they handle or handled key verification.

        But of course their influence depends on the hack:
        – On Oct. 23th someone changed the Cloudflare’s DNS record and redirected to a third-party js.
        – In another case hackers embedded the code in the landing page of Fibertel. This should be the most prominent case by now.
        – WordPress Cryptojacking

        To be honest, I do not blame Coinhive for not having implemented an advanced key validation system so far. And it was not Coinhive’s fault, the code was embedded on those hacked sites.

        They invalidated some keys, but they couldn’t know before that those were fraudulent. But you are right, once they invalidated a key the script hosted on the server should terminate before the actual mining starts. And it is important that site owners have the possibility to get in touch with Coinhive.

        And obviously Coinhive reacted appropriately by changing their policies. So terminated keys are now actually terminated and the miner is not executed anymore. I think the new version with the UI that asks for consent is on a good way to not be labeled as malware.

        Thank you for clearing that up, good sir. No hard feelings.

    • Oh, and here’s a hypothetical for you: let’s say there was a company that would pay you for the power generated if you installed their solar panels on a house, while taking a 30% cut for themselves (E.g. by feeding it into the grid/reselling it to the power utility) – we’ll call them “Solarhive”. Then imagine your neighbour installed Solarhive panels on your roof (without informing you or getting your permission), which he was able to do because Solarhive didn’t make any attempt to verify that he was the owner of the house and/or had your permission. And maybe these are high-end panels with sensors/motors to adjust their angle to the sun throughout the day – which would run of your power, so you’d be paying to operate the paels while getting none of the benefit from them.

      Would you think that Solarhive should be held in any responsible in that scenario? Then imagine you discovered the situation, notified Solarhive & they shut off the flow of power to your neighbour… but then left the panels running & just collected all of the power/revenue for themselves. I take it you would have no problem with or objection to that?

      • Well said sir; you win the Best Analogy” award.

        In terms of the article, I really appreciate the well-researched information and the clarity of the context.

        There are so many web pests, this kind of light is exactly what is required. While the government(s) have a role to play, the culture can do immeasurably more in delegitimizing rogue or even self-serving behavior such as this.

  17. The users of pr0gramm are uploading screenshots of their donations to the imageboard itself. Based on those uploads and the relevant tags it is possible to roughly track the number of donations and the amount donated. It was more or less the same as the recent official statement from DKMS.

    The following website displays that information: http://www.daspr0spendet.de/

    • I forgot to mention that we are currently at 316’000 Euros. Roughly 390’000 USD!

    • Interesting to note is that the official numbers are higher, so it could be closer to €400000.
      Also Herr Krebs mixed up Deutsche Krebshilfe and DKMS. The €207500 were for the former while DKMS got a little less between €100000 and €150000. Plus a few dozen thousand Euros to other institutions also in Switzerland and Austria.

  18. DKMS != Deutsche Krebshilfe

  19. I feel like the only thing missing from all this silliness is Jim Hellwig spontaneously resurrecting from the dead and joining Coinhive’s legal team (clandestinely)…

  20. pr0test LOL

  21. Once again technology in a global economy leaves local law in the dust, digital tools compromised, and personal agendas exposed, for good or ill. Welcome to the WWW.

  22. It’s a good thing it was only the last four of the card number, and not the BIN numbers. That could have resulted in a lot of ATO fraud for victims that are using the same username and password at Panera Bread that they use for their online banking logins.


#####EOF##### A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach — Krebs on Security

29
Mar 19

A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach

On Feb. 21, 2019, KrebsOnSecurity contacted Italian restaurant chain Buca di Beppo after discovering strong evidence that two million credit and debit card numbers belonging to the company’s customers were being sold in the cybercrime underground. Today, Buca’s parent firm announced it had remediated a 10-month breach of its payment systems at dozens of restaurants, including some locations of its other brands such as Earl of Sandwich and Planet Hollywood.

Some 2.1 million+ credit and debit card accounts stolen from dozens of Earl Enterprises restaurant locations went up for sale on a popular carding forum on Feb. 20, 2019.

In a statement posted to its Web site today, Orlando, Fla. based hospitality firm Earl Enterprises said a data breach involving malware installed on its point-of-sale systems allowed cyber thieves to steal card details from customers between May 23, 2018 and March 18, 2019.

Earl Enterprises did not respond to requests for specifics about how many customers total may have been impacted by the 10-month breach. The company’s statement directs concerned customers to an online tool that allows one to look up breached locations by city and state.

According to an analysis of that page, it appears the breach impacts virtually all 67 Buca di Beppo locations in the United States; a handful out of the total 31 Earl of Sandwich locations; and Planet Hollywood locations in Las Vegas, New York City and Orlando. Also impacted were Tequila Taqueria in Las Vegas; Chicken Guy! in Disney Springs, Fla.; and Mixology in Los Angeles.

KrebsOnsecurity contacted the executive team at Buca di Beppo in late February after determining most of this restaurant’s locations were likely involved a data breach that first surfaced on Joker’s Stash, an underground shop that sells huge new batches of freshly-stolen credit and debit cards on a regular basis.

Joker’s Stash typically organizes different batches of stolen cards around a codename tied to a specific merchant breach. This naming convention allows criminals who purchased cards from a specific batch and found success using those cards fraudulently to buy from the same batch again when future cards stolen from the same breached merchant are posted for sale.

While a given batch’s nickname usually has little relation to the breached merchant, Joker’s Stash does offer a number of search options for customers that can sometimes be used to trace a large batch of stolen cards back to a specific merchant.

This is especially true if the victim merchant has a number of store locations in multiple smaller U.S. towns. That’s because while Joker’s Stash makes its stolen cards searchable via a variety of qualities — the card-issuing bank or expiration date, for example — perhaps the most useful in this case is the city or ZIP code tied to each card.

As with a number of other carding sites, Joker’s Stash indexes cards by the city and/or ZIP code of the store from which the card was stolen (not the ZIP code of the affected cardholders).

On Feb. 20, Joker’s Stash moved a new batch of some 2.15 million stolen cards that it dubbed the “Davinci Breach.” An analysis of the cities and towns listed among the Davinci cards for sale included a number of hacked store locations that were not in major cities, such as Burnsville, Minn., Livonia, Mich., Midvale, Utah, Norwood, Ohio, and Wheeling, Ill.

Earl Enterprises said in its statement the malicious software installed at affected stores captured payment card data, which could have included credit and debit card numbers, expiration dates and, in some cases, cardholder names. The company says online orders were not affected.

Malicious hackers typically steal card data from organizations by hacking into point-of-sale systems remotely and seeding those systems with malicious software that can copy account data stored on a card’s magnetic stripe. Thieves can use that data to clone the cards and then use the counterfeits to buy high-priced merchandise from electronics stores and big box retailers.

Cardholders are not responsible for fraudulent charges, but your bank isn’t always going to detect card fraud. That’s why it’s important to regularly review your monthly statements and quickly report any unauthorized charges.

Tags: , , , , , , , ,

32 comments

  1. Are these restaurant chains moving to tokenized processing of bankcards? We’ve been doing that for over a year now, no unencrypted card numbers are ever on our system or exposed.

    But the restaurant industry is slow to adopt new security measures, so they are likely still using swipe readers at the hacked locations.

    • There are some that have upgraded to support the chip. (AFAIK, Buca di Beppo has not.) However, pay at the table in the US is still extremely rare outside of the largest chains and likely will continue to be for some time to come.

      Anyway, I’m feeling that the EMV liability shift wasn’t nearly as strong of a motivator as the card networks thought it’d be. Perhaps this is a case where regulation at the government level would have been helpful.

      • The level of regulation in the US is commensurate to the affordability of the system to merchants. It is actually amazing Chip-N-Pin is reaching the adoption levels it has in America.

  2. The Sunshine State

    Another great article , the credit card breach news always starts here first !

  3. They refuse to update their card readers, they also need to have card processors on each table that only accept chip transactions. I really hate when the waitstaff disappears with my card for 20 minutes as well. Isn’t it time they got ahead of the game. As for Buco, their food isn’t very good and their restaurants have poor acoustics>

    • I also hate when a restaurant does that(I’ve never been to any of the places listed here)!!
      I need to make a better effort at bringing cash to a place I know does that.
      BTW, can anyone tell me why some places swipe my card & then insert to use the chip? Doesn’t seem secure to me.

    • Chip and signature + tip adjust continuing to be allowed makes pay at the table hard to justify for restaurants. Not to mention that there are apparently a significant number of customers who are not fans of pay at the table, so implementing it when few other places are will likely alienate them. (In my experience, outside of the large major chains like Chili’s and Applebee’s, pay at the table in the US is extremely rare.)

      Of course, this assumes a restaurant upgraded to support the chip at all. A fair number are still swiping.

      • “apparently a significant number of customers who are not fans of pay at the table”

        What reason would people not be fans of keeping possession of their credit card instead of having it walked around a restaurant?

        • Likely in large part due to tipping. Right now it’s done with the server away from the table, so they don’t see the amount until after the guests have left. With a portable payment terminal, the server is standing there while the guests enter the amount. I can see how that’d be awkward if it’s not something done at every restaurant.

          • fwiw, restaurants whose staff leave payment machines w/ customers and then walk away are just asking to be hacked in various ways. I haven’t looked into it in detail, but I expect that someone will have a way to tamper with the machines… The machines can generally trigger credits/refunds in addition to making charges (I’m not sure if they require extra codes for approval, but a key-pad-logger can be installed, if the staff is away…).

            I can understand the hesitancy wrt revealing the tip amount, but it’s a pretty silly thing–the wait staff will know the amount and will probably remember you long enough to be able to associate the amount with you.

    • This article clearly stated that the point of sale computer system was hacked, remotely.

      This article has nothing to do with waitstaff skimming cards or card readers.

      Did you even read it?

  4. Hey, where’s the obligatory “we take our customers security very seriously” BS? Also how about offering a (useless) free credit monitoring service? I guess they don’t do it in Italy, hah?

    • From the Buca di Beppo Web site:

      “We remain committed to safeguarding the security of our guests’ information and deeply regret that this incident occurred.”

      So there’s the BS you were looking for, Dennis.

      • Mikey Doesn't Like It

        BS indeed!

        The only actions they suggest on their website are things that YOU, the customer, should do. Nothing at all on their part. And certainly not even the hint of offering any credit monitoring protection (however useless that may be).

        They “deeply regret” this incident — no doubt because of the inconvenience to them, not us.

        A shabby response. Definitely not the kind of company I’ll patronize.

  5. Can anyone explain why restaurant establishments (and possibly other similar random-transactional-businesses) would have any need to store mag stripe info for more than, say, 24 hours? I expect that the back end payment processors issue a transaction number for every payment made by the front side vendor for tracking purposes. It seems that if B.d.B. and others would simply not retain the sensitive data unnecessarily it would reduce risk in large amounts.

    • This breach, like many others before it, was caused by malware on the point-of-sale devices that captures the card data as the customer’s card is being physically swiped at the register — not when the data is somehow stored in the retailer’s systems.

  6. Time for customers to vote with their feet and refuse to patronize these establishments who allow such breaches to occur for an extended period of time, and then refuse to talk to the press about its occurrence. It’s not like there is a shortage of Italian restaurants or sandwich shops. As for Planet Hollywood, well….

    • By that logic, you should skip any restaurant that hasn’t been breached because it may be breached in the future. Or, better yet, maybe you should just stop using credit cards.

      • I, for one, essentially HAVE stopped using my credit cards, except in the few mega retailers who, if they get breached, then virtually EVERYONE in America will be having a bad hair day right along with me. Only those mega companies seem to actually take any of this “security” stuff seriously. I haven’t used any of my cards at any *restaurant* in literally years, and I won’t, because of stuff like this. The card companies have gone to great lengths to get everyone addicted to using plastic, but doing so is unambiguously dangerous. Cash is your friend. Flip that middle finger at the card companies. They deserve it because they don’t do s**t except collect fees… which they do, even on fraudulent transactions.

  7. Always been corruption dealing with Esau if no the bible I’m not against it because it’s every company you go in spend money on ,comma since ,add up the dollars because the cents don’t make sense so you have a company or franchises dubbling up der money . The Italian way .

  8. What really sicks is when Bucca sends you emails for special offers they only accept your credit or debit card not cash to redeem offer. So what’s that all about””” something’s fishy

  9. WAIT! WAIT! WAIT! Wait just an effing minute here! Brian, your time line is NOT making things clear. Please elaborate. You write that you contacted the company and informed them of the issue on Feb. 21, 2019, and yet the company CONTINUED to have card numbers stolen from it right up to and through March 18, 2019?? Am I reading that right?

    Brian, please do clarify. And it is really totally OK to blow your own horn here, under the circumstances. Are you, to the best of your knowledge, both the first and also the ONLY party to have informed this company about the breach? And why did it take them nearly a full month to take this matter seriously and to actually lock things down?? This is just NUTS and shows an abject and callous disregard for the safety of the company’s customers. This is really inexcusable. May the lawsuits begin!

  10. So you contacted them on 02/21 but you are reporting it on 03/29.
    Did you agree to wait for a good reason?

  11. Burnsville is a Minneapolis suburb; for all practical purposes it is Minneapolis.

  12. Nothing will change until merchants who leak our credit card data are penalized significantly.

    The tech to avoid these problems is available. The only reason merchants are not using it is that the money they save by not upgrading is literally worth more than the risk they take in not upgrading (because there really isn’t any risk right now). Risk = Severity($) x Probability of occurring x Exposure to the risk. To put it another way: convert risk to dollars, then follow the money. If that points to not investing in proper security, there will be no meaningful security.

    Regrets and yet another credit monitoring subscription do not help. Only when merchants are obligated to observe good security practices via threat of major financial pain will they do so. Flip the equation so it is NOT worth the risk of operating with vulnerable payment processing systems and practices. Only then will we see improvement.

  13. For some reason the Coffee Bean and Tea Leaf joints in our locality have cards inserted in the chip card slot that say “Swipe” with an arrow pointing towards the card swipe slot. The manager said they had problems with the Verifone terminals so they were just using the mag stripe. Sigh.

    • Not unusual.

      I was in a chain sandwich shop Saturday. Their chip readers were all broken.

      The owner was working that night.

      She said corporate forced them to buy that particular system… and corporate doesn’t want to hear about they’re broken.

      Franchisees are responsible for paying to have them fixed.

  14. What forum was this on?

  15. ROB: Discussing the most well arranged podcast, though I think we perform good job of masking that.

    The Romans only had VHF and three black and white channels
    — all in Latina. The records I’ve heard so far are unimaginable. http://myy.me/skyalpinequeenstowncasino515726

Leave a comment


#####EOF##### #####EOF##### Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years — Krebs on Security

21
Mar 19

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.

Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.

Both Github and Twitter were forced to admit similar stumbles in recent months, but in both of those cases the plain text user passwords were available to a relatively small number of people within those organizations, and for far shorter periods of time.

Renfro said the issue first came to light in January 2019 when security engineers reviewing some new code noticed passwords were being inadvertently logged in plain text.

“This prompted the team to set up a small task force to make sure we did a broad-based review of anywhere this might be happening,” Renfro said. “We have a bunch of controls in place to try to mitigate these problems, and we’re in the process of investigating long-term infrastructure changes to prevent this going forward. We’re now reviewing any logs we have to see if there has been abuse or other access to that data.”

Facebook’s password woes come amid a tough month for the social network. Last week, The New York Times reported that federal prosecutors are conducting a criminal investigation into data deals Facebook struck with some of the world’s largest tech companies.

Earlier in March, Facebook came under fire from security and privacy experts for using phone numbers provided for security reasons — like two-factor authentication — for other things (like marketing, advertising and making users searchable by their phone numbers across the social network’s different platforms).

Update, 11:43 a.m.: Facebook has posted a statement about this incident here.

Tags: , ,

205 comments

  1. Well, I think it is difficult to quit Facebook. We all depend on it for most of the things, especially when you are running some business or you are an influencer. So, I think quitting Facebook is not a good idea. If you want to be secure and want to protect your data then you should choose your password wisely.

    • The best case in this scenario is that you used a password that you didn’t reuse on any other website. You could have had the best or longest password ever in this case, but if it was stored in plain text it wouldn’t make a difference.

  2. I picture Facebook’s security officer sitting in a room alone and nobody bothers to confer. Maybe this person’s brings up these failures, but probably gets ignored. More then likely nobody really cares at Facebook, this goes way back to Zuckerberg’s college days when he started a social network and bragged about his access to users data. Clearly a plan of Facebook all along to collect lot’s of user data for making money from. We should not be surprised and shouldn’t expect Zuckerberg to change because he has a long history on not being concerned.

  3. I agree with many commentators above. Saying that a password change is not required is irresponsible even without a breach of this sort. Change your password on Facebook ASAP. Even if you are not on Facebook, but were at some point in the past, double check your passwords on any other site and change those too if you have suspicion that it may be created with a similar logic. While security conscious folks may create different passwords for different sites, or may regularly change passwords on websites, the rest of the public may have someone who doesn’t.

  4. Wow Facebook has been bad at security for a long time: I feel like every month we learn something bad about Facebook, but their stocks are not affected. It is like we are now immune or come to an acceptance that they will fail at protecting our privacy. other companies get one bad news and their stocks take a dive but not Facebook.

  5. o))) Well hello ANOTHER BREACH GREAT THAT SUCKS. What i suggest is maybe getting into some of your own practiced Encryption OR BUYING A YUBIKEY ( Not yelling at you)

    o))) I use YUBIKEY all the time and it doesn’t happen to me any breaches and my online is more of a battle with the hackers and bullies and password theifs and phone theifs and all those in-between fun. ITS A GREAT Psyche Work out. something physical if im walking or running or exploring new territory.

    o))) also if you want to make it more physical get into exploring NFC Tags.

    o))) The QR Code Way is a little tricky cause involves paper.

    Crypto: 07b654385c3cf16f73ff6441a785e182

  6. I thought Facebook hires some good engineers, hard to imagine that only after 2000 people searching do they start to fix this. It should honestly be pretty obvious.

  7. I know I had a problem 2 years ago that made me delete my account. First I deactivated it. Then I wanted to change my password, before I decided to delete it. What made me delete it was that I wanted to use a password I had used before. Facebook said that I had already used that one.
    Made me think alot about it, because I always thought passwords were for my eyes only.
    Don’t know if this has anything to do with what’s going on with the employees, I hope not.

    • A provider preventing you from using an old password doesn’t necessarily mean they’re storing your password in plaintext. Basically it works like this.

      You sign up and create a password. Your password would be sent to the server, hashed, and stored in a database under some field, let’s call it “CurrentPassword”.

      You change your password. The server hashes your new password and checks it against however many old passwords they store. If no matches are found and the password complies with whatever password rules they have, the value in “CurrentPassword” is moved to “OldPassword1” and the new password is hashed and stored in “CurrentPassword”.

  8. Not scrubbing PID and passwords from a logger is a real rookie mistake though. It is clearer than ever that the company just doesn’t have security on it’s mind when it starts any activity.

  9. Mass market topics produce the most useless comments.

  10. Cases of this kind happen. It is time to ask what was the specific purpose of this? Why did they keep users’ passwords as plain text?

  11. gerlinde friedrich

    ich weiss mein pin nicht mehr

  12. Unfortunately, there’s a lot more sites people use that store passwords in clear-text in the database. The proliferation of scripts, and non-security oriented programmers has increased this dramatically. As difficult as it is, a different password for each site is looking like the way to go.

  13. I think the passwords have leaked outside of FB.
    I got a successful login from unusual device notification today to my FB account. Had to reset my pwd and so on. I am pretty sure leak is not from elsewhere as use unique complex passwords in each website and sonthis break into my FB account could not have been possible from another site compromission. I also don’t believe too much in the coincidence.

  14. Captain Midnight

    No security culture exists at FB.

Leave a comment


#####EOF##### Source Code for IoT Botnet ‘Mirai’ Released — Krebs on Security

01
Oct 16

Source Code for IoT Botnet ‘Mirai’ Released

The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

The Hackforums post that includes links to the Mirai source code.

The Hackforums post that includes links to the Mirai source code.

Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.

The Hackforums user who released the code, using the nickname “Anna-senpai,” told forum members the source code was being released in response to increased scrutiny from the security industry.

“When I first go in DDoS industry, I wasn’t planning on staying in it long,” Anna-senpai wrote. “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO [link added]. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”

Sources tell KrebsOnSecurity that Mirai is one of at least two malware families that are currently being used to quickly assemble very large IoT-based DDoS armies. The other dominant strain of IoT malware, dubbed “Bashlight,” functions similarly to Mirai in that it also infects systems via default usernames and passwords on IoT devices.

According to research from security firm Level3 Communications, the Bashlight botnet currently is responsible for enslaving nearly a million IoT devices and is in direct competition with botnets based on Mirai.

“Both [are] going after the same IoT device exposure and, in a lot of cases, the same devices,” said Dale Drew, Level3’s chief security officer.

Infected systems can be cleaned up by simply rebooting them — thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot.

In the days since the record 620 Gbps DDoS on KrebsOnSecurity.com, this author has been able to confirm that the attack was launched by a Mirai botnet. As I wrote last month, preliminary analysis of the attack traffic suggested that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets, a communication protocol used to establish a direct, point-to-point connection between network nodes. GRE lets two peers share data they wouldn’t be able to share over the public network itself.

One security expert who asked to remain anonymous said he examined the Mirai source code following its publication online and confirmed that it includes a section responsible for coordinating GRE attacks.

It’s an open question why anna-senpai released the source code for Mirai, but it’s unlikely to have been an altruistic gesture: Miscreants who develop malicious software often dump their source code publicly when law enforcement investigators and security firms start sniffing around a little too close to home. Publishing the code online for all to see and download ensures that the code’s original authors aren’t the only ones found possessing it if and when the authorities come knocking with search warrants.

My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems.

On the not-so-cheerful side, there are plenty of new, default-insecure IoT devices being plugged into the Internet each day. Gartner Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected each day, Gartner estimates.

For more on what we can and must do about the dawning IoT nightmare, see the second half of this week’s story, The Democratization of Censorship. In the meantime, this post from Sucuri Inc. points to some of the hardware makers whose default-insecure products are powering this IoT mess.

Tags: , , , , , , ,

108 comments

  1. Wow, that’s some smart stuff to hit. Those IP cameras are usually on pretty good uplink pipes to support them. The Axis ones in particular are capable of HD 10mbps video output at least. Turn off the camera, or aim the TCP/UDP traffic at someone else and you’re in trouble. IP VIdeo platforms are so perfect for this, wouldn’t mind chatting about that with you sometime.

  2. Could someone please post a link to the source. Maybe the code can be used for good purposes as well such as chat botnets in a distributed fashion.

    Thank you very much in advance.

  3. does anyone have a link it source code? Can be posted here
    thank you very much in advance

  4. How come this post was posted on Oct 16th? O.o

  5. This is almost unequivocally a good thing for web security. Everyone’s acting like it’s the end of the world, the evil botnet is now open source, but that’s an incredibly naive perspective.

    Grey-hats everwhere are going to be using this to log into these vulnerable devices and (1) brick them, or (2) change the credentials, and at that point those devices will no longer be a threat to the public internet. Sure, option 1 sucks for the owner, but they’ll yell at the manufacturer and demand a refund, and the manufacturer will (1) go under, or (2) fix their crappy product.

    No matter how that goes, it’s a win for security and a loss for DDoSers.

  6. The person who posted the src to the source code really likes Shimoneta…

    • And the person who named the bot “Mirai” probably really likes Mirai Nikki! Which makes me think that Anna-senpai might also be the creator of Mirai! Unless this is a reference to the visual novel “Mirai Nostalgia”, where there is also a character called Anna! All in all, those involved more or less directly with Mirai are probably fans of Japanese pop cultures, but not Japanese themselves (I doubt a Japanese would refer to himself or herself as “senpai” out of context, since you are senpai or kohai with respect to someone else).

  7. There is a mention of hardware default passwords being used. Are these changeable to protect your device (or are they permanent back doors of vulnerability)
    and if so how?

  8. Or maybe the person who named the bot “Mirai” is simply saying that this is our “Future” if we don’t smarten up on securing our devices.

    • “People steal—that’s why we invented locks.” –Jason Statham, Parker
      Secure your stuff down or someone will take it from you.
      It is a timeless truism in the story of human nature.

  9. “On the not-so-cheerful side, there are plenty of new, default-insecure IoT devices being plugged into the Internet each day.”

    It gets even worse. There are a number of tablet manufacturers (most, if not all, of them CHinese) that ship tablets with preinstalled, preconfigured and almost-impossible to remove malware.

  10. So now that the source has been released why not develop a payload that blocks all future connection attempts , sort of a grey hat patch …

  11. Seems that the IOT devices were running Linux.

    #include
    #include

    What’s sad is that the majority of these IOT devices don’t need Linux. Hell, most don’t really need an OS. I can see something like DVR’s and heavy vid processing, but something like a fridge or thermostat could use something without an OS. Most could just be simple loop or interrupt driven.

    Or maybe something like FreeRTOS – anything that can’t easily be fingerprinted.

    When we did some of the first things that resembled IOT in 1994, (see patent https://www.google.com/patents/US6208266 ) we were using simple single thread code on the embedded side. I recall when doing embedded stuff that had TCP-IP stacks back in the mid-2000’s having our VAD guys scan the things for vulnerabilities. One came back and said “CP/M?” (interesting rant on this http://www.retrotechnology.com/dri/cpm_tcpip.html )

    When the larger ARM 32 bit stuff came out with MMU and that could run a paired-down general purpose OS ported to it, I had a feeling this would become a nightmare.

    Easy for developers to get to market, not a whole lot of skill required with regard to creating efficient code for things like hardware drivers for MAC/PHY’s and userland programs. Reliance on GP OS’s will be as vulnerable as any desktop running the basically the same kernel and drivers.

  12. print “] [Remote ddos address” +sys.ton[7]

  13. Club sets tend to be primarily made of Graphite in addition to Metal. There is substitute materials likewise, just like graphite in addition to titanium and composite other metals, nevertheless it is most beneficial to stay on the tested and relied on steel plus graphite.

  14. How ABOUT CERT or BHS posts a list of these devices that are vulnerable immediatly????

  15. IoT & web security!

  16. Are these things directly exposed to the internet, or are they behind a NAT box and being compromised somehow else?

    • Who’s to say the NAT box itself isn’t compromised? Routers running embedded Linux or OpenWRT are just as hackable as the machines they serve running Windows or Android. In fact, seizing the router is the most reliable way to bypass (or traverse) NAT.

  17. Why not just have manufacturers release products with random passwords? That is, on the devices themselves, the makers could just put a tag with a randomly generated string, which the user could then change. Seems like an easy fix for the issue.

    • The answer is here: https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/

      many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet.

      That’s because while many of these devices allow users to change the default usernames and passwords on a Web-based administration panel that ships with the products, those machines can still be reached via more obscure, less user-friendly communications services called “Telnet” and “SSH.”

      Telnet and SSH are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” to reach a username and password prompt at the target host).

      “The issue with these particular devices is that a user cannot feasibly change this password,” Flashpoint’s Zach Wikholm told KrebsOnSecurity. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”

  18. the obfuscation code in this source seems pretty simple — XOR. Is that still sufficient? Probably so on most IOT devices since they do not have any antivirus software running scans?

    Also, if an entire manufacture’s line of products is permanently hackable, can something be done to blacklist the MAC address range of those devices(assuming the MAC address is hard-coded and cannot be changed ) at the access router stage?

  19. Thanks for this article. After reading it, I went and searched the source for “GRE” and found https://sourcegraph.com/github.com/jgamblin/Mirai-Source-Code/-/blob/mirai/bot/attack_gre.c#L20. I’m not a security expert, but it was fascinating to poke around to see how some of the attack logic works (how the headers are constructed, etc.)

    Source code with jump-to-def and find-references in the browser here: https://sourcegraph.com/github.com/jgamblin/Mirai-Source-Code/-/blob/mirai/bot/scanner.c#L124

  20. Hello,

    I am the founder and CEO of https://AthenaLayer.com

    Recently our website was attacked by the same botnet. Our new cloud based mitigation system (the same one which our clients use) soaked up the attack no problem! And what is great about this is that we were also able to capture a good amount of data from the attack.

    I have some very accurate data from the attack.

    Here is the post documenting not only the existence of the attack – but the time of the attack.

    https://twitter.com/MiraiAttacks/status/791022243480530945

    As you can now see in just a moment there was a huge amount of incoming requests per second (exceeding 50,000 RPS)

    As shown here: https://image.prntscr.com/image/23744504a4d44582969f71223eafd3d9.png

    This also resulted in a total network transfer of about 280,000 packets per second!

    https://image.prntscr.com/image/406816eb6be544c8bb4ea4fdb0dcbc76.png

    Total bit rate exceeded 2.2Gb/s which is extremely huge – keep in mind this a layer 7 attack so this is real content delivery of 2.2Gb/s which our network had no problem doing under a quick burst.

    That is shown here: https://image.prntscr.com/image/0734c5aa87864bfd84bf664df18d7e9e.png

    Here you can see a visualization of the geographical distribution of the attack.

    https://image.prntscr.com/image/d057acd9406c44a08c6e13ee864bcb14.png

    This can tell you what parts of the globe have the most bots.

    For press inquires email press@athenalayer.com

  21. Everything savvy with wi-fi capacity IoT are making this world shaky. Engineers are not searching for security vulnerabilities when coding equipment drivers – on account of 802.11ac for gigabit+ speed over wi-fi makes it simple for DDoS daredevil. I can’t fathom why somebody would not use that ability to create something Useful for the world as opposed to assaulting the natives of the general public, simply mind boggling.


#####EOF##### Patch Tuesday, March 2019 Edition — Krebs on Security

13
Mar 19

Patch Tuesday, March 2019 Edition

Microsoft on Tuesday pushed out software updates to fix more than five dozen security vulnerabilities in its Windows operating systems, Internet Explorer, Edge, Office and Sharepoint. If you (ab)use Microsoft products, it’s time once again to start thinking about getting your patches on. Malware or bad guys can remotely exploit roughly one-quarter of the flaws fixed in today’s patch batch without any help from users.

One interesting patch from Microsoft this week comes in response to a zero-day vulnerability (CVE-2019-0797) reported by researchers at Kaspersky Lab, who discovered the bug could be (and is being) exploited to install malicious software.

Microsoft also addressed a zero day flaw (CVE-2019-0808) in Windows 7 and Windows Server 2008 that’s been abused in conjunction with a previously unknown weakness (CVE-2019-5786) in Google’s Chrome browser. A security alert from Google last week said attackers were chaining the Windows and Chrome vulnerabilities to drop malicious code onto vulnerable systems.

If you use Chrome, take a moment to make sure you have this update and that there isn’t an arrow to the right of your Chrome address bar signifying the availability of new update. If there is, close out and restart the browser; it should restore whatever windows you have open on restart.

This is the third month in a row Microsoft has released patches to fix high-severity, critical flaws in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”).

These are severe “receive a bad packet of data and get owned” type vulnerabilities. But Allan Liska, senior solutions architect at security firm Recorded Future, says DHCP vulnerabilities are often difficult to take advantage of, and the access needed to do so generally means there are easier ways to deploy malware.

The bulk of the remaining critical bugs fixed this month reside in Internet Explorer, Edge and Office. All told, not the craziest Patch Tuesday. Even Adobe’s given us a month off (or at least a week) patching critical Flash Player bugs: The Flash player update shipped this week includes non-security updates.

Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A good backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Further reading:

Qualys

SANS Internet Storm Center

Ask Woody

ZDNet

Tags: , , , , , , , , ,

47 comments

  1. The Sunshine State

    Is “Servicing stack update” (KB4490628) for Windows 7 SP1″ more Microsoft tracking?

    • The Servicing Stack update is not a telemetry update; it is necessary to ensure that you’ll receive the SHA-2 -based patches in the future. (I believe those start in a couple of months for Windows 7/Server 2008 R2.)

      For those not seeing the Servicing Stack update – you won’t see it until you apply or hide everything else in the queue.

      • My Windows 7 Ultimate 64 bit, update is trying to install that KB number again, despite showing that it is already installed successfully. MS updates are sure getting buggy.

        • Interesting…as Arte Johnson used to say. I also have 7/64 and usually wait until Friday or Saturday to install the updates. This month, the downloads from the Microsoft Update Catalog were slow and spasmodic…which I don’t recall happening before.

    • It seems to do quite a bit, people tend to say it’s quite a large topic to cover. From what I read on a forum post and the Microsoft-issued update log, one function is it assisting during Windows Updates. It’s also supposed to fix update corruptions.

  2. Eric Rosenberg

    Of my two machines automatically updated, one is fine, the other is DOA. I can’t past the BIOS to change the boot sequence to boot up from the recovery USB. It hangs on the manufacturer (HP) logo. No Windows, no nothing. Not sure what to do next!

    • Windows 10 or 7? Try holding F8 as it boots to see if you can get into safe mode. There are also tons of Microsoft forum posts that can help.

    • Getting into BIOS happens before the OS even starts to load. Disconnect all peripherals (except keyboard and mouse) and make sure you are hitting the correct key (F10, F1, F2, Escape) to get into BIOS. May need to turn off “Secure Boot” to change the boot order.

    • There could be a peripheral (external hard drive, printer, etc.) plugged into the computer, which is causing things to get stuck. Try unplugging all of the peripherals and boot up again.

      Good luck.

    • HP used to include some pretty good recovery software for such events. If you can get to the HP web site for your model of PC, you could check the user manual for the procedure. Windows 10 may have changed all that, because it has some pretty good recovery options as well – but there are many different avenues to attack the subject, so the advice here to consult the MS support site are very valid.

    • Disconnect your PSU, and Take out your CMOS battery for 5-10 minutes and put it back. That’s what I had to do.

  3. I was called by “Microsoft” yesterday (really a robo call) that explained there were critical patches and they even referenced the Microsoft site and phone number. I had the option of talking to an engineer so I pressed 1. Some one picked up and asked how they could help me. After I asked which department they worked in at Microsoft they hung up. I assume they would’ve tried remoting in or asking me for sensitive information.

  4. I had no issues with this month’s patches/updates being processed properly on either W7U or W10H machines, thankfully.

  5. KB4490628 is trying to install again, despite the history showing it installed successfully already. I’m not sure it is worth a call to MS to even bother with it. I’ll just leave it in the queue for a while to see if MS ships another fix for a buggy update. Seems that is the MS way now days – send buggy updates then send a fix afterward – geeze!

    At least I didn’t have to contend with that 1809 disaster that my sister had to deal with on Windows 10!

  6. I did the auto-install of the updates on my HP h9-1183 running Win7 Premium and it killed my video. I was able to view the usual menu with Ctrl-Alt-Delete, but aside from that it was a black screen (no cursor) after Windows loaded. All this was preceded by Chrome failing to run (looks like it is up to date, per your warning), at which point I rebooted and that’s when the video failed. Rolling back the security patches (4489878 and 4474419) restored the video (and Chrome).

    • Allan,
      If your video failed how were you able to back out the two updates? Safe mode?

      • John, correct, rebooted in safe and then did the roll back. And all I had to roll back were the security patches. Might have gotten away with just one of the two, but haven’t tried individual installs of each to see if just one is the offending update, or if it’s both.

  7. The correct Google Chrome version is 73.0.3683.75 as of today. On a side note, I don’t get an arrow on the address bar, or any other indication that Chrome has an update pending. My update notifications usually come from US-CERT via email. I usually click on the Hamburger -> Help -> About Google Chrome on all OS flavors to perform the update.

    So far no problems detected on Windows 10 Enterprise from this update.

    • Thanks for that! I didn’t realize, and got caught with my pants down – so to speak. Chrome is usually better than that. Not even my software updater caught it.

  8. This patch caused lots of problems on my laptop.
    The first was a series of repeated error messages about being unable to access the wacom driver. I eventually had to plug a wacom tablet in to get past those, but when the desktop started to appear it was extremely slow.

    It’s a little better now, but still very slow to boot up and shut down with noticeable lag opening programs like Word and Gimp, and in opening files with those programs.

    I haven’t tried to use any tablets yet. Word threw up an error when I first tried to use it, but eventually started to run.

    And, of course, the whole process made me late for work because I’d only intended to turn on for 5 mins to google something. 45mins later I was able to power down and go out.

    It’s an HP G50 laptop

  9. Immediately after Tuesday’s update, a lot of my text (in email and on various sites) appears faded and portions of the letters are missing to the point it is unreadbale. Anyone else have this problem or know a fix?

  10. This patch is killing me. Two machines running Win7 Pro on automatic updates have hung in an endless loop of “Configuring Windows – Do Not Turn Your Computer Off” warning messages. The machines never actually boot …

    • At this point I’m reasonably convinced that Microsoft is … maybe not directly sabotaging Windows 7, but being so incredibly awful about support and quality and regression-checking updates that it’s reasonable to believe that they’re punishing anyone who has the temerity to not switch to Windows 10 on their schedule.

      • Microsoft issued a reminder among those KBs that states the Win 7 will be out of support since February 2020.
        I’ve dumped SHA stack KBs though, as when I figure out that I need them, I know where to get them.

    • Had same problem. CTRL-ALT-DELETE gets you in.

  11. As far as DHCP abuse goes, many business-grade switches have a function that blocks rogue DHCP servers. It’s a good idea to use this functionality regardless of this specific issue.

  12. I’m curious what problems enterprise users are having if they do a “one shot” patch application ot all their Microsoft product. Are the problems mainly browser related, small components, or all over the map? How many of you are able to apply all patches simultaneously without incident?

  13. PC killed (win 7 64). Thanks to Microsabotagesoft. After UEFI it goes into system repair loop. No safe mode. SFC and offline iso DISM won’t work.

  14. Just out of curiosity… (No sarcasm implied) why are ya’ll still running Windows 7?

    • Windows 7 isn’t perfect, but it was one of the most stable, secure, and easily used versions of Windows, when it was introduced. A great deal of money and time was spent integrating Windows 7 in the modern workforce.

      Entire industries evolved around Windows 7, don’t forget. Much of “Internet 2.0” was built on computers running Windows 7. The growth of healthcare informatics was integrated with secure software designed for Windows 7. The proliferation of high speed Internet was fueled, in part, by inexpensive computers in every school and small business, all on the back of Windows 7.

      Since Windows 8 and 10 are cosmetic updates to the user interface and fairly minor changes that don’t affect the core purpose or functionality of Windows, it’s hard to argue for major investment into converting older systems to use 8 or 10.

      Many of these readers may want to upgrade their systems to Windows 8 or 10, but they don’t want to abandon other software or equipment that were designed to be used with Windows 7.

      There’s no sense in eating a hen that still lays eggs. The same goes for cows that still produce milk and replacing Windows 7.

    • It started out with Windows 10 being a complete dumpster fire when released. My honest impression is that it was so bad that I thought it was Microsoft’s passive-aggressive way to get out of the desktop operating systems business. There’s nothing that says “professional work environment” like Microsoft whoring out your desktop for the latest crapware version of Candy Crush or whatever. They took all of the horrible problems associated with their “monthly service pack” approach to Windows Update and somehow made those a hundred times worse (and ten times slower) with a container store system that breaks every few months and almost always requires 1-2 technician-hours to fix (we’re getting better at automating this, but the amount of work has been insane – it’s like all of the tools involved were specifically designed to resist scripting). The UX is somewhat better than Windows 8/8.1, in a desultory way (“Ok. Fine. You can have your start menu back. But our feelings were really hurt, so we’ll still use tiles for no obvious reason and bury the far more useful Pin-to-Taskbar function another pop-out menu deep.”). Then there’s the whole “you’re getting a mandatory point-release OS update every six months, no matter how stupid that is in a business environment that’s more concerned about stability and UI continuity than it is about having a better version of Minesweeper”… or you can buy Enterprise Edition ($$$) plus Software Assurance ($$$) and we’ll deign to let your use the LTSB version that we made that only you ridiculous troglodytes who insist on avoiding the trendy new continuous release paradigm (translation: everything is early beta quality, forever, get used to it) have any interest in.

      It’s like the executives at Microsoft went to an astronomical degree of trouble and expense to graft more arms onto themselves so they could give us the finger with eight or nine hands at once instead of just two. So, please humbly pardon us if we weren’t just aching to get with the program.

  15. Running Windows 7 Home Prem 32 Bit. Was unable to run System Restore after January 2019 updates. Had to restore back to a system image using a recovery disc & then did not try to re-install January updates. Had no problem with Feb updates, but ran into the same system restore problems with March updates & so I restored back to a system image once again. Jan & March updates causing slow down issues & some funky issues with my desktop Icons. Do not like these updates disabling my System Restore, thus I am doing a complete Backup & System Image from now on immediately before installing any more Microsoft Updates so if I need to restore my system using a system image, I wont lose a bunch of data

  16. New windows updates (March 12/2019)has given me the blue screen with the notation (Driver IRQL not less or equal(afd.sys) and system reboots. Have uninstalled update and everything works fine. Installed on 3 different occasions and each time I get the blue screen, so I am left with not installing this update. What’s the fix if any?

  17. Issue resolved but not exactly sure how I did it. I did 3 things…………disconnected all USB ports………printer may have been wonky…………I installed a new update for java………..I rebooted computer 2 times…………all done after new update installed ……….one of these worked………..not sure which one did the trick.

  18. Question:
    Is a machine “protected” from Google Chrome Vulnerability as long as this Microsoft update KB4489878 is installed or Google Chrome 72.0.3626.121?

  19. Much as I’d love to update this HP Windows 10 desktop machine, it’s been stuck at Windoze 10 v1703 forever. It cannot update to 1803 (at all, never mind the patch fixes) due to an issue with “Infineon TPM Professional Package can’t be uninstalled,” and if you can find that blasted thing on this machine, you’re a better man than I.

    All my other machines are fully up-to-date; this one is stuck in the weeds, despite many sessions of researching the problem on the Intertubes and trying various solutions: searching for certain folder names, filenames, MSConfigging and whatnot. Having MS tell me (in their error message) that I must manually uninstall the thing because their procedure cannot does not fill me with confidence. One of these days I’ll figure it out.

    • Have you tried to install 1809 directly through use of the MS creation tool to produce the updated image on a USB drive for installation? That worked (finally) for me on a Toshiba netbook with a 32Gb SSD after nothing else had, and 1809 installed properly that way.

  20. It can be difficult to find the coupon codes you want when you need them most. Here are some quality websites dedicated to finding discounts and collecting

  21. Well we are experiencing huge problems with Office/SharePoint. All of a sudden 9 out of 10 documents opens in Read-Only mode with no option to turn it off. This is when opening from IE. Opening the document in OOS (browser) works fine but not in desktop application.
    Using Explorer in SharePoint to edit the document works fine, but clicking the link to edit the document does not.

    Using Chrome…no problems.
    Anyone experiencing the same problems?

  22. google plus account

    Thank you for that info.

  23. Hello
    This last update borked my girlfriends computer, She let it update and went to her mothers. When she came back she was getting a no signal on the screen.
    After rebooting it still said no signal….Being the geek i am i went through all of the obvious things checked the cables tried the onboard video unplugged the drives to see if one went bad tried a different video cable checked all of the wiring inside and out still no boot into bios no sounds no bad codes simply No video input detected. the board is a Z87Pro with a 4790k intel 16 gigs of ram ….oh i even moved the ram and tried one at a time. She is a casual gamer conan ark and a few others the computer has been fantastic up until that update and now this. Yes we have tried the battery and the bios reset switch on the board to no avail…..any ideas? and thanks for reading the rant lol.

Leave a comment


#####EOF##### Canadian Police Raid ‘Orcus RAT’ Author — Krebs on Security

02
Apr 19

Canadian Police Raid ‘Orcus RAT’ Author

Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.

An advertisement for Orcus RAT.

As first detailed by KrebsOnSecurity in July 2016, Orcus is the brainchild of John “Armada” Rezvesz, a Toronto resident who until recently maintained and sold the RAT under the company name Orcus Technologies.

In an “official press release” posted to pastebin.com on Mar. 31, 2019, Rezvesz said his company recently was the subject of an international search warrant executed jointly by the Royal Canadian Mounted Police (RCMP) and the Canadian Radio-television and Telecommunications Commission (CRTC).

“In this process authorities seized numerous backup hard drives [containing] a large portion of Orcus Technologies business, and practices,” Rezvesz wrote. “Data inclusive on these drives include but are not limited to: User information inclusive of user names, real names, financial transactions, and further. The arrests and searches expand to an international investigation at this point, including countries as America, Germany, Australia, Canada and potentially more.”

Reached via email, Rezvesz declined to say whether he was arrested in connection with the search warrant, a copy of which he shared with KrebsOnSecurity. In response to an inquiry from this office, the RCMP stopped short of naming names, but said “we can confirm that our National Division Cybercrime Investigative Team did execute a search warrant at a Toronto location last week.”

The RCMP said the raid was part of an international coordinated effort with the Federal Bureau of Investigation and the Australian Federal Police, as part of “a series of ongoing, parallel investigations into Remote Access Trojan (RAT) technology. This type of malicious software (malware) enables remote access to Canadian computers, without their users’ consent and can lead to the subsequent installation of other malware and theft of personal information.”

“The CRTC executed a warrant under Canada’s Anti-Spam Legislation (CASL) and the RCMP National Division executed a search warrant under the Criminal Code respectively,” reads a statement published last week by the Canadian government. “Tips from international private cyber security firms triggered the investigation.”

Rezvesz maintains his software was designed for legitimate use only and for system administrators seeking more powerful, full-featured ways to remotely manage multiple PCs around the globe. He’s also said he’s not responsible for how licensed customers use his products, and that he actively kills software licenses for customers found to be using it for online fraud.

Yet the list of features and plugins advertised for this RAT includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

“It can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process,” wrote researchers at security firm Fortinet in a Dec. 2017 analysis of the RAT. “This makes it harder for targets to remove it from their systems. These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.”

As KrebsOnSecurity noted in 2016, in conjunction with his RAT Rezvesz also sold and marketed a bulletproof “dynamic DNS service” that promised not to keep any records of customer activity.

Rezvesz appears to have a flair for the dramatic, and has periodically emailed this author over the years. Sometimes, the missives were taunting, or vaguely ominous and threatening. Like the time he reached out to say he was hiring a private investigator to find and track me. Still other unbidden communications from Rezvesz were friendly, even helpful with timely news tips.

According to Rezvesz himself, he is no stranger to the Canadian legal system. In June 2018, Rezvesz shared court documents indicating he has been involved in multiple physical assault charges since 2007, including “7 domestic disputes between partners as well as incidents with his parents.”

“I am not your A-typical computer geek, Brian,” he wrote in a 2018 email. “I tend to have a violent nature, and have both Martial arts and Military training. So, I suppose it is really good that I took your article with a grain of salt instead of actually really getting upset.”

The sale and marketing of remote administration tools is not illegal in the United States, and indeed there are plenty of such tools sold by legitimate companies to help computer experts remotely administer computers.

However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.

Last year, a 21-year-old Kentucky man pleaded guilty to authoring and distributing a popular hacking tool called “LuminosityLink,” which experts say was used by thousands of customers to gain access to tens of thousands of computers across 78 countries worldwide.

Also in 2018, 27-year-old Arkansas resident Taylor Huddleston was sentenced to three years in jail for making and selling the “NanoCore RAT,” which was being used to spy on webcams and steal passwords from systems running the software.

In many previous law enforcement investigations targeting RAT developers and sellers, investigators also have targeted customers of these products. In 2014, the U.S. Justice Department announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a cheap and powerful RAT that the U.S. government said was used to infect more than a half million computers worldwide.

Earlier this year, Rezvesz posted on Twitter that he was making the source code for Orcus RAT publicly available, and focusing his attention on developing a new and improved RAT product.

Meanwhile on Hackforums[.]net — the forum where Orcus was principally advertised and sold — members and customers expressed concern that authorities would soon be visiting Orcus RAT customers, posts that were deleted almost as quickly by the Hackforums administrator.

As if in acknowledgement of that concern, in the Pastebin press release published this week Rezvesz warned people away from using Orcus RAT, and added some choice advice for others who would follow his path.

“Orcus is no longer to be considered safe or secure solution to Remote Administrative needs,” he wrote, pointing to a screenshot of a court order he says came from one of the police investigators, which requires him to abstain from accessing Hackforums or Orcus-related sites. “Please move away from this software without delay. It has been a pleasure getting to know everyone in my time online, and I hope you all can take my words as a life lesson. Stay safe, don’t do stupid shit.”

Tags: , ,

39 comments

  1. Sascha A. Carlin

    What still makes we wonder is why we have not seen hardware manufacturers finally putting an end to abuse of webcams and made sure, hardware-wise, that such cameras cannot be active without their indicators, well, indicating that they are.

    I guess I am missing something important here. Can somebody please point me to it?

    • It seems so obvious that the power going to the webcam should be the same power source that lights the LED indicator – so that it’s electrically impossible for the webcam to be on without the LED also being on. Instead, manufacturers control the LED indicator with firmware, which, as we have seen, can be disabled maliciously. No one is holding device manufacturers responsible for user privacy.

      • There is one problem with that idea…the fact that doing it that way would require the LED and the camera to have identical power requirements, which they do not. (Not even close, looking at options for cameras at DigiKey…)

        So, as a result, they need separate (and different) power feeds, each of which requires their own control. Sure, you could use a relay…a solid-state relay would be the smallest option. But it would still require your laptop lid to be nearly half an inch thick to accommodate it. And thus that power switching control ends up being done via software because, well, people like thin laptops, not thick ones.

        • You wouldn’t need a SSR. Just one mosfet doing low side switching for the LED, or a BJT and a resistor in series with the base.

          Look for my post on Steve Gibson’s podcast.

        • All you need is a physical switch for both the mic and camera. Switch it off, and neither the mic and camera are capable of being turned on. Thats it, thats all. It can be done with a pretty small switch with 2 separate power cables for each device.

          • Physical switches cost money. The device manufacturer has to test them with some sort of physical device to move the switch, or a person.

            A shutter on the camera might be cheaper.

    • I can somewhat explain this. The camera needs firmware. To keep things cheap, there is no programmable memory in the camera to hold the firmware. Rather the OS driver is what uploads the firmware. So the hacker changes the driver in a manner to allow the rat to not turn on the light.

      The “why” is only something I can guess. I suppose one reason is to save the couple of milliamps it takes to drive the LED. Not an issue in a notebook, but the camera module could be used in other applications.

      This was discussed on TWIT’s “security now”. I ran a few searches using site:grc.com since Steve Gibson has show transcripts, but I can’t find the episode where this was discussed. Doing a search on RAT itself was a shocker since the website turns out to have medical research on it!

        • Close and much thanks. Those are the show notes. This is a transcript of the podcast.
          https://www.grc.com/sn/sn-437.htm

          My recollection was reasonably good. What is missed is they leave the camera in standby. I don’t follow why that is done other than I assume to get the camera working as fast as possible.

          So the camera is in standby with the LED off. But standby probably means don’t put the data on the USB bus. The hacker has other ideas.

          At one time Apple used the camera to determine ambient light, which in turn would be used to adjust the display backlight. That would be a case where you surely needed the camera operating but bit really on. All modern notebooks have a simple light sensor, totally independent of the camera.

      • Gary, a question.

        I do not use the laptop’s built in camera, but an accessory one connected via USB to the machine. If I Skype and the accessory one is not plugged in I do not get a picture (i.e. the machine does not shift to the built in camera).
        Can I assume that no one from the outside can utilize the built in one?

  2. In the previous RAT cases, I recall that the authorities had evidence of the RAT authors actively involved in helping customers deploy and use the RAT for illegal purposes.

    I don’t think we’ve seem a prosecution based only on the RAT features that facilitate illegal activity. That would be a hard case to prosecute.

    • Right. Hence, this part from the story:

      “However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.”

      • Frank Ch. Eigler

        “tend to be viewed by prosecutors”

        … but such views are not the law. The production & distribution of dual-use things is almost always protected by law.

        • I agree, this is not how the law works.

          • ChrisSuperPogi

            I guess this explains why it took them this long to arrest the author…

            I was under the impression that he would’ve been arrested back in ’15/16 when the evidence of its nefarious use was discovered…

            Just my thoughts…

          • Blanche Dubois

            “but such views are not the law”?
            “not how the way the law works”?
            Is your legal adviser a Hollywood movie?

            What makes you think that Rezvesz only has 1-2 “criminal computer activity” charges to worry about now?
            His inconvenience started the moment the magistrate signed the search warrant.

            The entire address is subject to search and confiscation, to be perused at leisure by police. If other crimes are also discovered, or subsequently discovered, more warrants will flow. It will be charge pile-on time.

            And best, Mr. Resvesz has no idea what other evidence the police of at least 3 nations have on him.

            Mr. Rezvesz could help all those fighting daily malware, by lying to police, now or during future interviews, on any subject.
            Messrs. Michael Flynn and Michael Cohen can now write short true stories about doing that.

            We’ll learn how “tough” Mr. Rezvesz really is.

            • If he knows he’s committed certain crimes, which he would have to assuming he did in fact commit crimes, then he knows exactly what evidence they could have on him. Evidence of potentially every single crime he committed.

      • I own firearms. Firearms I use for hunting, target competitions, self-defense, and to revolt against tyranny as is my constitutional right in the USA. I’ll bet Venezuelans regret giving theirs up now, in fact, they have said so. Firearms can also be used in violent crime. Should I be searched then? My firearms confiscated for pre-crime? Some “authorities” might think so. How about firearms manufacturers? Should they all be investigated? Are we all guilty until proven innocent?
        Don’t mistake me: this guy sounds like a bad actor, but a line may have been crossed by the authorities as well.

    • Strange features are probably hard to prove alone, but probably do enhance a prosecutor’s argument, particularly for the features that serve no purpose except for malice.

      The one that hugely stands out to me from the linked list is the “let it burn” feature, which literally has no purpose except to mess with the desktop of the affected user. There’s no legitimate remote administrative tool with this sort of feature.

      Similar can be said with “password recovery from famous applications” – this would fall afoul of any IT best practices about security (or even mediocre IT practices about security), and would never be included in any legitimate remote administrative tool.

      • Password recovery is common on remote admin tools. Hirens boot CD has had it for ages. It is useful for unlocking a local admin account on a machine that has lost connection to its domain, and becomes necessary when an admin inherits a domain that is not properly documented.

        • Well, I’ll start by saying rescue CDs are different than RATs. 🙂

          From what I know, OS manufacturers tend to frown on these “password recovery” tools in these rescue CDs (I know some admins use them, but some are “gray hat” in nature). The official Microsoft approach for instance is to create a password reset disk which, if you forget your password, you can use to reset it. Discussion of resetting local passwords is limited on many support forums (eg BleepingComputer) due to the difficulty of determine whether the requester of this support is the legitimate owner.

          Many remote administration tools do have the ability to manage local administrative accounts or domain accounts (including passwords). But we are talking about passwords stored in applications like browsers here. These are passwords that quite often do not fall under an administrator’s domain. Why would an admin need to remotely look at potentially sensitive user data that does not necessarily fall under their scope? They don’t need to. Hackers on the other hand would love potentially sensitive login information.

  3. The Sunshine State

    “. “I tend to have a violent nature, and have both Martial arts and Military training”

    His one of those internet tough guy hiding behind a keyboard and mouse, using intimation to manipulate and spread false fear.

  4. Threatening someone and leaving a paper trail. This guy is not very bright. With an ego that huge, I don’t think he is capable of stealing a pack of gum from the local market without everyone knowing about it.

    • I had the same reaction. . . He stored his business records and contacts on site. I wonder if he even went to the trouble of encrypting them? I suspect that the RCMP et al. scored a treasure trove of information. Good for them!

  5. Seems like an edgelord on steroids.

    His profile pictures and ego come together for one of the more cringeworthy personas I have seen in a while.

    Best part is that you know he will read these comments. I’m just left wondering where he is hiding his Katanas and fedoras.

  6. The only time RCMP prosecutes cyber crime is when the FBI phones them and says “let us fill out that warrant application for you.”

    They have 200+ people “investigating” cyber crime (depending on what source you believe) and next to zero prosecutions.

  7. I bet those “legitimate users” of his “software” are now s__ting their pants knowing that their “real” names (according to that sleazeball) are in the hands of Canadian police 🙂

    Also when will those “legal” malware paddlers learn that you can’t do this from a Western country. You need to do it having a server in Russia or a similar country.

  8. So where is Sorzus in all of this?

  9. He did nothing wrong. The customers should be responsible for their own actions. Fuck the police.

  10. The story needs a phonetic guide to the suspect’s name.

    And an update if/when there’s an arrest.

    Interesting case.

    Canadian judges can prohibit an individual from accessing particular websites, before an arrest or conviction or even an evidentiary hearing on the websites’ content?

  11. CHC of Asheville

    Question: does switching off “Allow Remote Connections” in Windows have any effect on one’s vulnerability — or does the malware just switch this setting to True if it isn’t true already?

    • CHC of Asheville,

      Malware/RATs does not care about this setting. Setting it to False will not stop malware. Malware/RATs does not need to set it to True to operate in their full capacity.

      They do need to use Windows built remote desktop abilities to operate in a “remote desktop” capacity. As such the aforementioned option will not protect you. However, you should have it set to False regardless (unless you have a legitimate use for it).

      Protect your computer by using making sure you have windows defender enabled, ideally with another antivirus or antimalware solution on top of it such as Malwarebytes, ESET, Kaspersky, Bit Defender, etc. Everyone has their opinions on which is best.

      Thanks

  12. Bound to Happen

    You’re giving him way too much credit. Sorzus was the real author, not John “Armada” Rezvesz. Armada couldn’t even code.

  13. That’s messed up that he used the bitcoin logo in his ad. For shame.

Leave a comment


#####EOF##### Alleged vDOS Proprietors Arrested in Israel — Krebs on Security

10
Sep 16

Alleged vDOS Proprietors Arrested in Israel

Two young Israeli men alleged to be the co-owners of a popular online attack-for-hire service were reportedly arrested in Israel on Thursday. The pair were arrested around the same time that KrebsOnSecurity published a story naming them as the masterminds behind a service that can be hired to knock Web sites and Internet users offline with powerful blasts of junk data.

Alleged vDOS co-owner Yarden Bidani.

Alleged vDOS co-owner Yarden Bidani.

According to a story at Israeli news site TheMarker.com, Itay Huri and Yarden Bidani, both 18 years old, were arrested Thursday in connection with an investigation by the U.S. Federal Bureau of Investigation (FBI).

The pair were reportedly questioned and released Friday on the equivalent of about USD $10,000 bond each. Israeli authorities also seized their passports, placed them under house arrest for 10 days, and forbade them from using the Internet or telecommunications equipment of any kind for 30 days.

Huri and Bidani are suspected of running an attack service called vDOS. As I described in this week’s story, vDOS is a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline.

The two men’s identities were exposed because vDOS got massively hacked, spilling secrets about tens of thousands of paying customers and their targets. A copy of that database was obtained by KrebsOnSecurity.

For most of Friday, KrebsOnSecurity came under a heavy and sustained denial-of-service attack, which spiked at almost 140 Gbps. A single message was buried in each attack packet: “godiefaggot.” For a brief time the site was unavailable, but thankfully it is guarded by DDoS protection firm Prolexic/Akamai. The attacks against this site are ongoing.

Huri and Bidani were fairly open about their activities, or at least not terribly careful to cover their tracks. Yarden’s now abandoned Facebook page contains several messages from friends who refer to him by his hacker nickname “AppleJ4ck” and discuss DDoS activities. vDOS’s customer support system was configured to send a text message to Huri’s phone number in Israel — the same phone number that was listed in the Web site registration records for the domain v-email[dot]org, a domain the proprietors used to help manage the site.

At the end of August 2016, Huri and Bidani authored a technical paper (PDF) on DDoS attack methods which was published in the Israeli security e-zine Digital Whisper. In it, Huri signs his real name and says he is 18 years old and about to be drafted into the Israel Defense Forces. Bidani co-authored the paper under the alias “Raziel.b7@gmail.com,” an email address that I pointed out in my previous reporting was assigned to one of the administrators of vDOS.

Sometime on Friday, vDOS went offline. It is currently unreachable. Before it went offline, vDOS was supported by at least four servers hosted in Bulgaria at a provider called Verdina.net (the Internet address of those servers was 82.118.233.144). But according to several automated Twitter feeds that track suspicious large-scale changes to the global Internet routing tables, sometime in the last 24 hours vDOS was apparently the victim of what’s known as a BGP hijack. (Update: For some unknown reason, some of the tweets referenced above from BGPstream were deleted; I’ve archived them in this PDF).

BGP hijacking involves one ISP fraudulently “announcing” to the rest of the world’s ISPs that it is in fact the rightful custodian of a range of Internet addresses that it doesn’t actually have the right to control. It is a hack most often associated with spamming activity. According to those Twitter feeds, vDOS’s Internet addresses were hijacked by a firm called BackConnect Security.

Reached by phone, Bryant Townsend, founder and CEO of BackConnect Security, confirmed that his company did in fact hijack Verdina/vDOS’s Internet address space. Townsend said the company took the extreme measure in an effort to get out from under a massive attack launched on the company’s network Thursday, and that the company received an email directly from vDOS claiming credit for the attack.

“For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” Townsend explained. “What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities.”

I noted earlier this week that I would be writing more about the victims of vDOS. That story will have to wait for a few more days, but Friday evening CloudFlare (another DDoS protection service that vDOS was actually hiding behind) agreed to host the rather large log file listing roughly four months of vDOS attack logs from April through July 2016.

For some reason the attack logs only go back four months, probably because they were wiped at one point. But vDOS has been in operation since Sept. 2012, so this is likely a very small subset of the attacks this DDoS-for-hire service has perpetrated.

The file lists the vDOS username that ordered and paid for the attack; the target Internet address; the method of attack; the Internet address of the vDOS user at the time; the date and time the attack was executed; and the browser user agent string of the vDOS user.

A few lines from the vDOS attack logs.

A few lines from the vDOS attack logs.

Tags: , , , , , , , , , , , , , , , ,

97 comments

  1. I think it’s pretty amazing that they started this service since they were 14 (since they’re 18 now, and started in 2012). I know there’s a lot of “hackers” that are 16 years old etc, but for them to have fully functioning business entity that early is pretty impressive.

    • give these guys a job in cyber security and let them workd for Mossad etc…… do not waste their talents.

  2. So maybe someone else helped them?

  3. Brian,

    Love your security research.. Regarding this one, the attack service used BGP Hijacking technique; this is not outside the realm of even what some ISP’s in the US are using to ‘defend’ against and otherwise pro-actively attack the attackers. So what one is wrong, using the bad guys techniques against bad guys? Or just ignoring the threat or “letting them win” by null routing the IP range, and reporting the attacker to the authorities… Is there a win-win in this one? The internet has still some evolution to contend with in an international community. DNSSec, etc. Things that are being used but not as much… and even some of the more basic fundamental pieces of the internet. The IP protocol(v4, v6) are still affected by the other pieces in the chain.. What I have to ask is … What would be an internationally acceptable form of “defense” against DDOS, etc without the null routing of your own IP range. I admit appliances and App Layer Firewalls are getting smart, but … Still takes resources ($$$). What do ya think? -Jason

    • Your comment started out intelligently enough, but then you question whether businesses getting attacked be a criminal are justified in defending against it. That’s asinine. What wouldn’t someone be justified in defending themselves against criminal activity? Would someone in the military let the enemy just shoot them dead because they aren’t allowed to use the same technique (firearm) to defend themselves? This sounds like something right out of the dark chasm of political correctness poison.

      • John, I think you missed the point here – and a little too quickly to be calling someone asinine.

        Null routing yourself, I agree, is not a defense. It’s just turning the other cheek.

        But attacking the ISP of a suspect, taking all other clients of that ISP down as collateral is more than just an attack. That’s just carpet-bombing the general location of an attacker. There may still be “civilians” there that you’re taking out.

        Sure, attack – but there has to be some internationally acceptable forms of attack as Jason suggests.

        We can’t be committing war-crimes in retaliation and call that “defense”.

  4. Just wanted to say thanks for the information, it is powerful.

  5. Oh vey it’s another Shoah.

    “Huri and Bidani were fairly open about their activities,”

    Because they’re the chosen ones hahaha.

    I bet you a dozen bagels they don’t go to prison, Brian.

    So at least I hope your snitch hacker stole some of their Shekels.

  6. Hi Brian

    Have the logs been removed from CloudFlare now?

  7. Typical Millenial hackers…. They feel ENTITLED to take down websites.
    Where are their helicopter parents NOW? Hmm?

  8. Are you people kidding me? Give them a job? What kind of message are you sending to the rest of the kids out? Do some big crimes and you will get hired? This guys, regardless of their age knew exactly what they were doing. They did it for money and knew it was wrong.

    The fact they blacklisted their own country shows that they don’t want to be victims of what they do to others. They should be jailed for at least 25 years but since they are in Israel they will probably pay a fine and nothing else.

    That country has become a safe haven for cyber criminals lately because their government is so soft with their own citizens. It would not surprise me one bit if local researches knew for a long time who they were and who was running that criminal enterprise. They just look the other side since it’s a nice tool they can use as a cyber weapon in the future against other countries. It required, like usual, an American reporter to expose them.

    If this guys don’t land in jail, it will show what a joke of a country it really is. They are already free and at home running their next criminal business.

    In every other place in the world, even a third world country, they would get at least 5 years minimum if not extradited to the US. The FBI should request extradition immediately. The damage they caused is probably in the billions of dollars. This type of criminals is the reason we can’t have nice things and they are a real danger for the Internet as a whole. People running DDoS services should be punished with the biggest sentences of all since they are a threat to every single citizen in the planet that connects online or depends on the Internet. They are the equivalent of running an organization that sells nuke bombs to extremists. This is exactly what they were doing online.

  9. Are you people kidding me? Give them a job? What kind of message are you sending to the rest of the kids out? Do some big crimes and you will get hired? This guys, regardless of their age knew exactly what they were doing. They did it for money and knew it was wrong. The fact they blacklisted their own country shows that they don’t want to be victims of what they do to others.

    They should be jailed for at least 25 years but since they are in Israel they will probably pay a fine and nothing else. That country has become a safe haven for cyber criminals lately because their government is so soft with their own citizens. It would not surprise me one bit if local researches knew for a long time who they were and who was running it. They just look the other side since it’s a nice tool they can use as a cyber weapon in the future. It required an American reporter to expose them.

    If this guys don’t land in jail, it will show what a joke of a country it really is. In every other place in the world, even a third world country, they would get at least 5 years minimum if not extradited to the US.

    The damage they caused is probably in the billions of dollars. This type of criminals is the reason we can’t have nice things and they are a real danger for the Internet as a whole.

    People running DDOS services should be punished with the biggest sentences of all since they are a threat to every single citizen in the planet that connects online or depends on the Internet. They are the equivalent of running an organization that sells nuke bombs to extremists. This is exactly what they were doing online.

  10. Life in prison along with a highly visual campaign in the media that DDOS-ers will be hunted down and made an example of.

    These scum hurt real people for profit. I have a friend who runs a small hosting business. Lost half his customers when the datacenter he was running in was constantly getting DDOS’d. This is hurting his family. They are seriously struggling now.

    These guys are like mafia. Make an example of them. Be sure script kiddies know whats coming if they keep exploring this area and try to profit from DDOS.

  11. I doubt they are the real force behind it. These kids are just a front for the real admins of this site, their youth is now their defense and they won’t suffer getting caught. All of the carelessness is too obvious.


#####EOF##### Krebs on Security


02
Apr 19

Canadian Police Raid ‘Orcus RAT’ Author

Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.

An advertisement for Orcus RAT.

As first detailed by KrebsOnSecurity in July 2016, Orcus is the brainchild of John “Armada” Rezvesz, a Toronto resident who until recently maintained and sold the RAT under the company name Orcus Technologies.

In an “official press release” posted to pastebin.com on Mar. 31, 2019, Rezvesz said his company recently was the subject of an international search warrant executed jointly by the Royal Canadian Mounted Police (RCMP) and the Canadian Radio-television and Telecommunications Commission (CRTC).

“In this process authorities seized numerous backup hard drives [containing] a large portion of Orcus Technologies business, and practices,” Rezvesz wrote. “Data inclusive on these drives include but are not limited to: User information inclusive of user names, real names, financial transactions, and further. The arrests and searches expand to an international investigation at this point, including countries as America, Germany, Australia, Canada and potentially more.”

Reached via email, Rezvesz declined to say whether he was arrested in connection with the search warrant, a copy of which he shared with KrebsOnSecurity. In response to an inquiry from this office, the RCMP stopped short of naming names, but said “we can confirm that our National Division Cybercrime Investigative Team did execute a search warrant at a Toronto location last week.”

The RCMP said the raid was part of an international coordinated effort with the Federal Bureau of Investigation and the Australian Federal Police, as part of “a series of ongoing, parallel investigations into Remote Access Trojan (RAT) technology. This type of malicious software (malware) enables remote access to Canadian computers, without their users’ consent and can lead to the subsequent installation of other malware and theft of personal information.”

“The CRTC executed a warrant under Canada’s Anti-Spam Legislation (CASL) and the RCMP National Division executed a search warrant under the Criminal Code respectively,” reads a statement published last week by the Canadian government. “Tips from international private cyber security firms triggered the investigation.”

Rezvesz maintains his software was designed for legitimate use only and for system administrators seeking more powerful, full-featured ways to remotely manage multiple PCs around the globe. He’s also said he’s not responsible for how licensed customers use his products, and that he actively kills software licenses for customers found to be using it for online fraud.

Yet the list of features and plugins advertised for this RAT includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

“It can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process,” wrote researchers at security firm Fortinet in a Dec. 2017 analysis of the RAT. “This makes it harder for targets to remove it from their systems. These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.”

As KrebsOnSecurity noted in 2016, in conjunction with his RAT Rezvesz also sold and marketed a bulletproof “dynamic DNS service” that promised not to keep any records of customer activity. Continue reading →


31
Mar 19

Annual Protest Raises $250K to Cure Krebs

For the second year in a row, denizens of a large German-language online forum have donated more than USD $250,000 to cancer research organizations in protest of a story KrebsOnSecurity published in 2018 that unmasked the creators of Coinhive, a now-defunct cryptocurrency mining service that was massively abused by cybercriminals. Krebs is translated as “cancer” in German.

Images posted to the decidedly not-safe-for-work German-language image forum pr0gramm[.]com. Members have posted thousands of thank you receipts from cancer research organizations that benefited from their fight cancer/krebs campaign.

On March 26, 2018, KrebsOnSecurity published Who and What is Coinhive, which showed the founder of Coinhive was the co-creator of the German image hosting and discussion forum pr0gramm[dot]com (not safe for work).  I undertook the research because Coinhive’s code at the time was found on tens of thousands of hacked Web sites, and Coinhive seemed uninterested in curbing widespread abuse of its platform.

Pr0gramm’s top members accused KrebsOnSecurity of violating their privacy, even though all of the research published about them was publicly available online. In protest, the forum’s leaders urged members to donate money to medical research in a bid to find a cure for Krebs (i.e. “cancer”).

All told, thousands of Pr0gramm’s members donated more than USD $250,000 to cancer cure efforts within days of that March 2018 story. This week, the Pr0gramm administrators rallied members to commemorate that successful fundraiser with yet another.

“As announced there will be a donation marathon at anniversary day of Krebsaction,” Pr0gramm’s administrators announced. “Today, March 27th, we’re firing the starting shot for the marathon. Please tag your donation bills properly if they shall be accounted. The official tag is ‘krebsspende.’

According to a running tally on Pr0gramm’s site, this year’s campaign has raised 252,000 euros for cancer research so far, or about USD $284,000. That brings the total that Pr0gramm members have donated to cancer research to more than a half-million dollars.

As a bonus, Coinhive announced last month that it was shutting down, citing a perfect storm of negative circumstances. Coinhive had made structural changes to its systems following my 2018 story so that it would no longer profit from accounts used on hacked Web sites. Perhaps more importantly, the value of the cryptocurrency Coinhive’s code helped to mine dropped precipitously over the past year.


29
Mar 19

Man Behind Fatal ‘Swatting’ Gets 20 Years

Tyler Barriss, a 26-year-old California man who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident, has been sentenced to 20 years in federal prison.

Tyler Barriss, in an undated selfie.

Barriss has admitted to his role in the Kansas man’s death, as well as to dozens of other non-fatal “swatting” attacks. These dangerous hoaxes involve making false claims to emergency responders about phony hostage situations or bomb threats, with the intention of prompting a heavily-armed police response to the location of the claimed incident.

On Dec. 28, 2017, Barriss placed a call from California to police in Wichita, Kan., claiming that he was a local resident who’d just shot his father and was holding other family members hostage.

When Wichita officers responded to the address given by the caller — 1033 W. McCormick — they shot and killed 28-year-old Andrew Finch, a father of two who had done nothing wrong.

Barriss admitted setting that fatal swatting in motion after getting in the middle of a dispute between two Call of Duty online gamers, 18-year-old Casey Viner from Ohio and Shane Gaskill, 20, from Wichita. Viner and Gaskill are awaiting their own trials in connection with Finch’s death. Continue reading →


29
Mar 19

A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach

On Feb. 21, 2019, KrebsOnSecurity contacted Italian restaurant chain Buca di Beppo after discovering strong evidence that two million credit and debit card numbers belonging to the company’s customers were being sold in the cybercrime underground. Today, Buca’s parent firm announced it had remediated a 10-month breach of its payment systems at dozens of restaurants, including some locations of its other brands such as Earl of Sandwich and Planet Hollywood.

Some 2.1 million+ credit and debit card accounts stolen from dozens of Earl Enterprises restaurant locations went up for sale on a popular carding forum on Feb. 20, 2019.

In a statement posted to its Web site today, Orlando, Fla. based hospitality firm Earl Enterprises said a data breach involving malware installed on its point-of-sale systems allowed cyber thieves to steal card details from customers between May 23, 2018 and March 18, 2019.

Earl Enterprises did not respond to requests for specifics about how many customers total may have been impacted by the 10-month breach. The company’s statement directs concerned customers to an online tool that allows one to look up breached locations by city and state.

According to an analysis of that page, it appears the breach impacts virtually all 67 Buca di Beppo locations in the United States; a handful out of the total 31 Earl of Sandwich locations; and Planet Hollywood locations in Las Vegas, New York City and Orlando. Also impacted were Tequila Taqueria in Las Vegas; Chicken Guy! in Disney Springs, Fla.; and Mixology in Los Angeles.

KrebsOnsecurity contacted the executive team at Buca di Beppo in late February after determining most of this restaurant’s locations were likely involved a data breach that first surfaced on Joker’s Stash, an underground shop that sells huge new batches of freshly-stolen credit and debit cards on a regular basis. Continue reading →


22
Mar 19

Alleged Child Porn Lord Faces US Extradition

In 2013, the FBI exploited a zero-day vulnerability in Firefox to seize control over a Dark Web network of child pornography sites. The alleged owner of that ring – 33-year-old Freedom Hosting operator Eric Eoin Marques – was arrested in Ireland later that year on a U.S. warrant and has been in custody ever since. This week, Ireland’s Supreme Court cleared the way for Marques to be extradited to the United States.

Eric Eoin Marques. Photo: Irishtimes.com

The FBI has called Marques the world’s largest facilitator of child porn. He is wanted on four charges linked to hidden child porn sites like “Lolita City” and “PedoEmpire,” which the government says were extremely violent, graphic and depicting the rape and torture of pre-pubescent children. Investigators allege that sites on Freedom Hosting had thousands of customers, and earned Marques more than $1.5 million.

For years Freedom Hosting had developed a reputation as a safe haven for hosting child porn. Marques allegedly operated Freedom Hosting as a turnkey solution for Web sites that hide their true location using Tor, an online anonymity tool.

The sites could only be accessed using the Tor Browser Bundle, which is built on the Firefox Web browser. On Aug. 4, 2013, U.S. federal agents exploited a previously unknown vulnerability in Firefox version 17 that allowed them to identify the true Internet addresses and computer names of people using Tor Browser to visit the child porn sites at Freedom Hosting.

Irish public media service RTE reported in 2013 that Marques briefly regained access to one of his hosting servers even after the FBI had seized control over it and changed the password, briefly locking the feds out of the system.

As Wired.com observed at the time, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”

Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. FBI investigators told the courts they feared he would try to destroy evidence and/or flee the country. FBI agents testified that Marques had made inquiries about how to get a visa and entry into Russia and set up residence and citizenship there. Continue reading →


21
Mar 19

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.

Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.

Continue reading →


17
Mar 19

Why Phone Numbers Stink As Identity Proof

Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.

“As a consumer, I’m forced to use my phone number as an identity document, because sometimes that’s the only way to do business with a site online,” Nixon said. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me. And there’s nothing anyone can do to stop it except to stop using phone numbers as identity documents.”

Beyond SIM-swapping attacks, there are a number of ways that phone numbers can get transferred to new owners, Nixon said. The biggest reason is lack of payment for past phone bills. But maybe someone goes through a nasty divorce or separation, and can no longer access their phone or phone accounts. The account is sent to collections and closed, and the phone number gets released back into the general pool for reassignment after a period of time.

Many major providers still let people reset their passwords with just a text message. Last week I went to regain access to a Yahoo account I hadn’t used in almost five years. Yahoo’s forgot password feature let me enter a phone number, and after entering a code sent to my phone I was able to read my email.

So, if that Yahoo account is tied to a mobile number that you can receive text messages at, then you can assume control over the account. And every other account associated with that Yahoo account. Even if that phone number no longer belongs to the person who originally established the email account.

This is exactly what happened recently to a reader who shared this account:

A while ago I bought a new phone number. I went on Yahoo! mail and typed in the phone number in the login. It asked me if I wanted to receive an SMS to gain access. I said yes, and it sent me a verification key or access code via SMS. I typed the code I received. I was surprised that I didn’t access my own email, but the email I accessed was actually the email of the previous owner of my new number.

Yahoo! didn’t even ask me to type the email address, or the first and last name. It simply sent me the SMS, I typed the code I received, and without asking me to type an email or first and last name, it gave me access to the email of my number’s PREVIOUS OWNER. Didn’t ask for credentials or email address. This seriously needs to be revised. At minimum Yahoo! should ask me to type the email address or the first and last name before sending me an SMS which contains an access code.

Brian Krebs (BK): You have your own experiences like this. Or sort of. You tell.

Allison Nixon (AN): Any threat intelligence company will have some kind of business function that requires purchasing burner phones fairly frequently, which involves getting new phone numbers. When you get new numbers, they are recycled from previous owners because there probably aren’t any new ones anymore. I get a lot of various text messages for password resets. One I kept getting was texts from this guy’s bank. Every time he got a deposit, I would get a text saying how much was deposited and some basic information about the account.

I approached the bank because I was concerned that maybe this random person would be endangered by the security research we were going to be doing with this new number. I asked them to take him off the number, but they said there wasn’t anything they could do about it.

One time I accidentally hijacked a random person’s account. I was trying to get my own account back at an online service provider, and I put a burner phone number into the site, went through the SMS password reset process, got the link and it said ‘Welcome Back’ to some username I didn’t know. Then I clicked okay and was suddenly reading the private messages of the account.

I realized I’d hijacked the account of the previous owner of the phone. It was unintentional, but also very clear that there was no technical reason I couldn’t hijack even more accounts associated with this number. This is a problem affecting a ton of service providers. This could have happened at many, many other web sites. Continue reading →


13
Mar 19

Ad Network Sizmek Probes Account Breach

Online advertising firm Sizmek Inc. [NASDAQ: SZMK] says it is investigating a security incident in which a hacker was reselling access to a user account with the ability to modify ads and analytics for a number of big-name advertisers.

In a recent posting to a Russian-language cybercrime forum, an individual who’s been known to sell access to hacked online accounts kicked off an auction for “the admin panel of a big American ad platform.”

“You can add new users to the ad system, edit existing ones and ad offers,” the seller wrote. The starting bid was $800.

The seller included several screen shots of the ad company’s user panel. A few minutes on LinkedIn showed that many of these people are current or former employees of Sizmek.

The seller also shared a screenshot of the ad network’s Alexa site rankings:

A screenshot of the Alexa ranking for the “big American ad network,” access to which was sold on a cybercrime forum.

I checked Sizmek’s Alexa page and at the time it almost mirrored the statistics shown in the screenshot above. Sizmek’s own marketing boilerplate says the company operates its ad platform in more than 70 countries, connecting more than 20,000 advertisers and 3,600 agencies to audiences around the world. The company is listed by market analysis firm Datanyze.com as the world third-largest ad server network.

After reaching out to a number of folks at Sizmek, I heard back from George Pappachen, the company’s general counsel.

Pappachen said the account being resold on the dark web is a regular user account (not a all-powerful administrator account, despite the seller’s claim) for its Sizmek Advertising Suite (SAS). Pappachen described Sizmek’s SAS product line as “a sizable and important one” for the company and a relatively new platform that has hundreds of users.

He acknowledged that the purloined account had the ability to add or modify the advertising creatives that get run on customer ad campaigns. And Sizmek is used in ad campaigns for some of the biggest brands out there. Some of the companies shown in the screenshot of the panel shared by the dark web seller include PR firm Fleishman-Hillard, media giants Fox Broadcasting, Gannett, and Hearst Digital, as well as Kohler, and Pandora.

A screenshot shared by the dark web seller. Portions of this panel — access to a Sizmek user account — was likely translated by the Chrome Web browser, which has a built-in page translate function. As seen here, that function tends to translate items in the frame of the panel, but it leaves untouched the data inside those frames.

Crooks who exploited this access could hijack existing ad campaigns running on some of the world’s top online properties, by inserting malicious scripts into the HTML code of ads that run on popular sites. Or they could hijack referral commissions destined for others and otherwise siphon ad profits from the system.

“Or someone who is looking to sabotage our systems in a bigger way or allow malicious code to enter our systems,” Pappachen offered.

Pappachen said Sizmek forced a password reset on all internal employees (“a few hundred”), and that the company is scrubbing its SAS user database for departed employees, partners and vendors whose accounts may have been hijacked.

“We’re now doing some level of screening to see if there’s been any kind of intrusion we can detect,” Pappachen said. “It seemed like [the screenshots were accounts from] past employees. I think there were even a couple of vendors that had access to the system previously.” Continue reading →


13
Mar 19

Patch Tuesday, March 2019 Edition

Microsoft on Tuesday pushed out software updates to fix more than five dozen security vulnerabilities in its Windows operating systems, Internet Explorer, Edge, Office and Sharepoint. If you (ab)use Microsoft products, it’s time once again to start thinking about getting your patches on. Malware or bad guys can remotely exploit roughly one-quarter of the flaws fixed in today’s patch batch without any help from users.

One interesting patch from Microsoft this week comes in response to a zero-day vulnerability (CVE-2019-0797) reported by researchers at Kaspersky Lab, who discovered the bug could be (and is being) exploited to install malicious software.

Microsoft also addressed a zero day flaw (CVE-2019-0808) in Windows 7 and Windows Server 2008 that’s been abused in conjunction with a previously unknown weakness (CVE-2019-5786) in Google’s Chrome browser. A security alert from Google last week said attackers were chaining the Windows and Chrome vulnerabilities to drop malicious code onto vulnerable systems.

If you use Chrome, take a moment to make sure you have this update and that there isn’t an arrow to the right of your Chrome address bar signifying the availability of new update. If there is, close out and restart the browser; it should restore whatever windows you have open on restart. Continue reading →


10
Mar 19

Insert Skimmer + Camera Cover PIN Stealer

Very often the most clever component of your typical ATM skimming attack is the hidden pinhole camera used to record customers entering their PINs. These little video bandits can be hidden 100 different ways, but they’re frequently disguised as ATM security features — such as an extra PIN pad privacy cover, or an all-in-one skimmer over the green flashing card acceptance slot at the ATM.

And sometimes, the scammers just hijack the security camera built into the ATM itself.

Below is the hidden back-end of a skimmer found last month placed over top of the customer-facing security camera at a drive-up bank ATM in Hurst, Texas. The camera components (shown below in green and red) were angled toward the cash’s machine’s PIN pad to record victims entering their PINs. Wish I had a picture of this thing attached to the ATM.

This hidden camera was fixed to the underside of a fake lens cover for the skimmed ATM’s built-in security camera. Image: Hurst Police.

The clever PIN grabber was paired with an “insert skimmer,” a wafer-thin, usually metallic and battery powered skimmer made to be fitted straight into the mouth of the ATM’s card acceptance slot, so that the card skimmer cannot be seen from outside of the compromised ATM.

The insert skimmer, seen as inserted into the card acceptance device in the hacked ATM. Image: Hurst PD.

Continue reading →


#####EOF##### Ad Network Sizmek Probes Account Breach — Krebs on Security

13
Mar 19

Ad Network Sizmek Probes Account Breach

Online advertising firm Sizmek Inc. [NASDAQ: SZMK] says it is investigating a security incident in which a hacker was reselling access to a user account with the ability to modify ads and analytics for a number of big-name advertisers.

In a recent posting to a Russian-language cybercrime forum, an individual who’s been known to sell access to hacked online accounts kicked off an auction for “the admin panel of a big American ad platform.”

“You can add new users to the ad system, edit existing ones and ad offers,” the seller wrote. The starting bid was $800.

The seller included several screen shots of the ad company’s user panel. A few minutes on LinkedIn showed that many of these people are current or former employees of Sizmek.

The seller also shared a screenshot of the ad network’s Alexa site rankings:

A screenshot of the Alexa ranking for the “big American ad network,” access to which was sold on a cybercrime forum.

I checked Sizmek’s Alexa page and at the time it almost mirrored the statistics shown in the screenshot above. Sizmek’s own marketing boilerplate says the company operates its ad platform in more than 70 countries, connecting more than 20,000 advertisers and 3,600 agencies to audiences around the world. The company is listed by market analysis firm Datanyze.com as the world third-largest ad server network.

After reaching out to a number of folks at Sizmek, I heard back from George Pappachen, the company’s general counsel.

Pappachen said the account being resold on the dark web is a regular user account (not a all-powerful administrator account, despite the seller’s claim) for its Sizmek Advertising Suite (SAS). Pappachen described Sizmek’s SAS product line as “a sizable and important one” for the company and a relatively new platform that has hundreds of users.

He acknowledged that the purloined account had the ability to add or modify the advertising creatives that get run on customer ad campaigns. And Sizmek is used in ad campaigns for some of the biggest brands out there. Some of the companies shown in the screenshot of the panel shared by the dark web seller include PR firm Fleishman-Hillard, media giants Fox Broadcasting, Gannett, and Hearst Digital, as well as Kohler, and Pandora.

A screenshot shared by the dark web seller. Portions of this panel — access to a Sizmek user account — was likely translated by the Chrome Web browser, which has a built-in page translate function. As seen here, that function tends to translate items in the frame of the panel, but it leaves untouched the data inside those frames.

Crooks who exploited this access could hijack existing ad campaigns running on some of the world’s top online properties, by inserting malicious scripts into the HTML code of ads that run on popular sites. Or they could hijack referral commissions destined for others and otherwise siphon ad profits from the system.

“Or someone who is looking to sabotage our systems in a bigger way or allow malicious code to enter our systems,” Pappachen offered.

Pappachen said Sizmek forced a password reset on all internal employees (“a few hundred”), and that the company is scrubbing its SAS user database for departed employees, partners and vendors whose accounts may have been hijacked.

“We’re now doing some level of screening to see if there’s been any kind of intrusion we can detect,” Pappachen said. “It seemed like [the screenshots were accounts from] past employees. I think there were even a couple of vendors that had access to the system previously.”

The Sizmek incident carries a few lessons. For starters, it seems like an awful lot of people at Sizmek had access to sensitive controls and data a good deal longer than they should have. User inventory and management is a sometimes painful but very necessary ongoing security process at any mature organization.

Best practices in this space call for actively monitoring all accounts — users and admins — for signs of misuse or unauthorized access. And when employees or vendors sever business ties, terminate their access immediately.

Pappachen asked KrebsOnSecurity what else could have prevented this. I suggested some form of mobile-based multi-factor authentication option would prevent stolen credentials from turning into instant access. He said the company does use app/mobile based authentication for several of its new products and some internal programs, but allowed that “the legacy ones probably did not have this feature.”

PASSWORD SPRAYING

It’s not clear how this miscreant got access to Sizmek’s systems. But it is clear that attackers have moved rapidly of late toward targeting employees at key roles in companies they’d like to infiltrate, and they’re automating the guessing of passwords for employee accounts. One popular version of this attack involves what’s known as “password spraying,” which attempts to access a large number of accounts (usernames/email addresses) with a few commonly used passwords.

There are technologies like CAPTCHAs — requiring the user to solve an image challenge or retype squiggly letters — which try to weed out automated bot programs from humans. Then again, password spraying attacks often are conducted “low and slow” to help evade these types of bot challenges.

Password spraying was suspected in a compromise reported last week at Citrix, which said it heard from the FBI on March 6 that attackers had successfully compromised multiple Citrix employee accounts. A little-known security company Resecurity claimed it had evidence that Iranian hackers were responsible, had been in Citrix’s network for years, and had offloaded terabytes of data.

Resecurity drew criticism from many in the security community for not sharing enough evidence of the attacks. But earlier this week the company updated its blog post to include several Internet addresses and proxies it says the attackers used in the Citrix campaign.

Resecurity also presented evidence that it notified Citrix of the breach as early as Dec. 28, 2018. Citrix initially denied that claim, but has since acknowledged that it did receive a notification from Resecurity on Dec. 28. Citrix has declined to comment further beyond saying it is still investigating the matter.

BRUTE-FORCE LIGHT

If anything, password spraying is a fairly crude, if sometimes marginally effective attack tool. But what we’ve started to see more of over the past year has been what one might call “brute-force light” attacks on accounts. A source who has visibility into a botnet of Internet of Things devices that is being mostly used for credential stuffing attacks said he’s seeing the attackers use distributed, hacked systems like routers, security cameras and digital video recorders to anonymize their repeated queries.

This source noticed that the automated system used by the IoT botmasters typically will try several dozen variations on a password that each target had previously used at another site — adding a “1” or an exclamation point at the end of a password, or capitalizing the first letter of whole words in previous passwords, and so on.

The idea behind this method to snare not only users who are wholesale re-using the same password across multiple sites, but to also catch users who may just be re-using slight variations on the same password.

This form of credential stuffing is brilliant from the attacker’s perspective because it probably nets him quite a few more correct guesses than normal password spraying techniques.

It’s also smart because it borrows from human nature. Let’s say your average password re-user is in the habit of recycling the password “monkeybutt.” But then he gets to a site that wants him to use capitalization in his password to create an account. So what does this user pick? Yes, “Monkeybutt.” Or “Monkeybutt1”. You get the picture.

There’s an old saying in security: “Everyone gets penetration tested, whether or not they pay someone for the pleasure.” It’s kind of like that with companies and their users and passwords. How would your organization hold up to a password spraying or brute-force light attack? If you don’t know, you should probably find out, and then act on the results accordingly. I guarantee you the bad guys are going to find out even if you don’t.

Tags: , , , , ,

29 comments

  1. The Sunshine State

    “monkeybutt” in plain text or take the same thing and encode in Base 64 which is “bW9ua2V5YnV0dA==”

    Which one is a better password? I don’t see why more people are doing this.

    • Perhaps because it’s pretty much impossible to remember? I’d say that’s why.

      And if you’re going to put it in a password manager, then you might as well use a decent passphrase to begin with.

      • The Sunshine State

        I disagree with you if you take a phrase you always remember like “TheSunshineState” , then it’s just a matter of imputing the data in a Base 64 encoder to obtain the same password over and over again which is pretty simple because it’s always the same

        The password strength of doing this is incredibly strong if you go over 10 charters so a attacker doing a brute force or dictionary attack would be extremely hard if the website uses a strong hash along with the use of salt.

        • Wrong. If you choose a simple password, and then do “something clever” to it to make it look random, it’s still a bad password.

          It can help against basic online attacks like is described in this article, however as soon as some service you use has their password database stolen (it happens ALL THE TIME) you’re hosed. It would just be one more transformation rule among many that the crackers apply to their wordlists, especially if a lot of people start doing it.

          As a rule of thumb: if your password would be weaker if an attacker knows how you came up with it, then it’s not a good password.

          It’s simpler AND easier to do one of these instead:

          * Use a password manager
          * Use a randomly generated diceware phrase
          * Come up with a long gibberish sentence (if you have trouble remembering diceware)

      • Ah, no. You should forget you ever read anything about “correctbatteryhorsestaple” on XKCD, and opt for a *completely random* 15-18 character password.

    • The longer password is better, because it is longer. Randomness, or the appearance of randomness, has less importance in password cracking than length.

      I’ll quote myself from 27 Nov. 2018:

      Randomness in a password’s characters only has a marginal effect on difficulty to crack it, because it frustrates a dictionary-based attack. But that’s it.

      The best password is long and easy to remember, so you’ll be able to use it without jotting it down.

      Here’s why a long password beats a complex one:

      https://math.stackexchange.com/a/1934499

    • Common permutations are easy to account for if you are trying to crack a dictionary password, and encoding something in base 64 is a one-to-one translation that offers no gain in entropy. Basically “bW9ua2V5YnV0dA==” is *exactly* as hard to guess as “monkeybutt” if you are including base 64 encodings of your guesses as well, and why wouldn’t you?

      There is an important difference between encoding and encryption. Encoding offers no gain in entropy. It’s a one-to-one and onto transformation. It’s invertable, so given an *encoded* string, it is trivial to get the non-encoded string back (granted it helps to know what the encoding was).

      And the long password vs. random password argument (getting off topic from your post now): grammatically correct English has about 4 bits of entropy per word according to some studies, which is pathetic! Random word choices have up to 12 bits per word according to some studies (xkcd assumes this number for any word), which can get you a pretty strong and easy to remember password with four random words. Random characters have about 7 bits each, but you can cram a ton of them together in a short password. Neat. Why not go long and random with a password manager?

      tl;dr, get a password manager.

      • Correction to my previous comment: random words drawn from all of the English language have a TON of entropy per word, but you are pretty likely to get words that are hard to remember or spell. Random common words give you about 12 bits of entropy per word, depending on how you define “common”. Much lower than all words, but much easier to remember, and you can string several together.

        Still, fully random long passwords are best. Use a password manager.

      • Wouldn’t adding a salt to the password and then transforming it be sufficient? For instance, HASH(correcthorsebatterystapleXYZ)? If that’s a valid assumption then you could use a password manager to save the salts, which you can change instead of the passwords.

        • If by “hash” you mean convert to Base 64, then you are only gaining whatever entropy the salt gives you by itself. I guess the first point I am trying to make is that 1-to-1 conversions like encoding in Base 64 don’t gain you anything.

          If you mean using passwords you can remember while storing random salts with a password manager, I guess that could work. Why not just use the password manager outright though? I think if you have a short salt this could leave you vulnerable to the password spraying approach mentioned in this article, e.g. if you reuse the same password with a different salt, then anybody who knows the base password has gotten a long ways toward factoring a hash that they might have for some other account of yours.

          Basically when in doubt, random is your friend. An 18-character random password drawn from all letters, numbers, and symbols gives something like 126 bits of entropy, or 4e37 guesses for a 50% chance of finding your password. At 1e16 guesses a second (peta-Hertz guess rate, so somebody is throwing serious money at this problem), that gives you 1e15 years until you hit the 50% mark. Granted you could guess right on the first try, but its extraordinarily unlikely.

    • Would it make it more random? Sure. Will you get anyone to use it in a business setting? Not likely.

      You’re not going to get anyone beyond tech people remotely interested in that. Try selling it to your accounting or HR group. We are here to educate and help businesses stay safe. You’ll get laughed, if not run out of a room suggesting that to employees. MFA and password managers are the best bet for the time being.

  2. Good catch.

    Resecurity also presented evidence that it notified Citrix of the breach as early as Dec. 28, 2018 [!!!]. Citrix initially denied that claim [!!!], but has since acknowledged that it did receive a notification from Resecurity on Dec. 28 [!!!]. Citrix has declined to comment further [???] beyond saying it is still investigating the matter.

    • Their public relations spokesperson should be sacrificially fired, after replying with such stupidity, even if being hurried and pressured into a statement by the press or others. They should have bought time, with a BS statement such as:

      At Citrix, we take security related matters very seriously. We cannot comment a this time as the matter is currently under review.

      Then they could scramble to do what they should have done in the first place! Like look into any security-related notifications whether reported via the outsourced Filipino/Indian customer service center, a sales rep or any other mode of contact.
      They probably have no formal method in place to deal with such notifications or the process is so onerous, no one can penetrate, like when the teen that first reported the Facetime vulnerability to Apple.

      • Do you actually believe the PR person who delivered the statement unilaterally approved that statement for release? Doubtful. It was likely approved by someone higher up than PR.

  3. And all those “world’s top online properties” wonder why those of us who are security conscious choose to block ALL ads, not just those that violate our privacy.

  4. We used to do a “super randomized complex password” scheme, like rolling your face on the keyboard for password gen (ie. W3BW$hs#$YuK), but honestly all we found out is like said above, it only actually thwarts standard dictionary attacks. For brute-force the 16 character password “Ihaveapassword4!” is just as complicated as “H58ccE$lao%g1v*z” because they both follow the same convention of “At least one upper and lower case, at least one number and at least one special character”. The horrible part is that when we insisted on those “complex” passwords, all it really did is make people write them down more and leave them in places around their office.

    Password length is really the only real method you’ll get decent security with. I’m turning more now to using those same requirements, but also turning the password length requirements up to 20 or 24. So I suggest my users to just think of some words that they could remember, string em together, throw in some capitalization, numbers and season with special characters. Makes it much more memorable and less likely for someone to write it down on a post-it note and tape it to their monitor *facepalm*.

    And if you really want to get fun, see if what you are putting your passwords in allows you to use a space in your passwords. It really ups the level of “complexity” when you do because alot of brute force for whatever reason doesn’t seem to check for the spaces.

    • Complex passwords almost always result in people writing them down on sticky notes and hiding them in “super secure places” like under their keyboards. Or, digital sticky notes that come natively with Windows. I remember my boss was sharing his screen with me not too long ago and he closed his browser which showed his desktop. All of his passwords for all accounts were on sticky notes… and this was a very large information security company. I still laugh at that. I can maybe see a password-protected Excel spreadsheet that is also encrypted (if you’re going those lengths, why not get a password manager? I digress…), but everything on sticky notes? Really? The worst part is, he isn’t the only one. We’re only as good as our cyber hygiene.

      • I use KeePass religiously

      • “why not get a password manager?”

        To put it simplest: most people don’t understand what encryption is/is for.

        What I usually tell people is: use words, sure, but randomly generate them. Caltrop them with random bits too if you can manage it. The longer the better- if the system will let you, anyway.

        Then we invariably get into password managers and the value of encryption, because- as I said- most people don’t really know what that means.

        They see no difference in value between keeping passwords in a Word document and keeping them in an encrypted vault.

  5. Brian, I sent you a direct message on Twitter. I hope you read it

    🙂

  6. ChrisSuperPogi

    “Best practices in this space call for actively monitoring all accounts — users and admins — for signs of misuse or unauthorized access. And when employees or vendors sever business ties, terminate their access immediately..”

    Well said!

    Pappachen’s inquiry on “what else..” becomes mute and academic if the governance is not practiced very well.

    My $0.02

  7. OK, I want to use a password manager.
    What should I look for in features.
    And, what should I avoid?
    Thanks

    • Depends on what you’re comfortable with/want.

      This is always a balancing act between security and convenience.

      Probably the first fork in that road is: do I use an “online” password management system, or do I keep an encrypted vault offline?

      Both approaches have pros and cons. An online vault is simpler, more accessible, but you have to reckon with whether or not you trust the people keeping it, and even then you have to accept a certain degree of risk there.

      You could keep a vault offline, but that puts the burden of file management entirely on you.

      The next most important featureset is probably the sorts of credentials you’re allowed to use for access to the manager/vault. Many are now offering some form of 2FA, as an example.

    • I strongly advise against password managers, both because of complexity and trust issues.

      Anything connected to a website is insecure. Anything kept on an Internet-connected device is insecure. All major password managers were recently found to leak memory to other apps, where your passwords could wind up online.

      Consider your coworkers and loved ones, who will pick up the pieces when you die. It’s inevitable.

      Anything too complex will mean tremendous headaches and heartaches for them. Keep it simple enough for them.

      I’m a big fan of just storing my personal passwords in an old address book on my desk. Every few months, I make a photocopy of any updates and new credit, bank, and ID cards, put in an envelope, and leave it in my bank’s deposit box.

      I’ve never lost a password or had technical issues with this method. It is impervious to hacking and fire, as well. And it’s very easy for my family to get, when I’m gone.

      For work, I just use a password-protected spreadsheet that I keep in an off-line computer. It’s hackable, but you’d have to be on-site to try. And if you’re already on-site breaking in to stuff, there are bigger concerns than some stupid passwords.

      Every month, I’ll print out a copy to keep in our office safe, accessible to myself and my partners.

      Complexity is the enemy of convenience. You’re only as secure as the system you choose to follow regularly, so keep it convenient.

  8. Thank you for the article, good read. It made me think about the less ways to take advantage of this though. i.e. all major US mobile carriers (as far as I know) have special “*” or “#” dialing sequences that when dialed, will forward all calls. A phishing attack could either convince people to dial a sequence or possibly even a well crafted link could cause people to click it and attempt to dial, essentially forwarding all their calls, and with at least a few of the major MFA implementations I’ve seen, phone calls are usually a secondary option for the SMS # on file.

    The other means is the new VoIP features from carriers like TMobile. TMobile’s “DIGITS” feature lets you use an app to login to your phone number, which gives access to inbound/outbound calling and SMS. So simply compromising ones TMobile account in a phishing attack would give an attacker the ability to 1. Turn on DIGITS if not already enabled and 2. essentially have full access to any # on the account via the DIGITS app.

    I’m not knocking digits by any means, I think it’s an innovative technology. We just need to look at attacks, both technical and social, from all angles.
    -Ed

Leave a comment


#####EOF##### Crooks Hijack Retirement Funds Via SSA Portal — Krebs on Security

18
Sep 13

Crooks Hijack Retirement Funds Via SSA Portal

If you receive direct deposits from the Social Security Administration but haven’t yet registered at the agency’s new online account management portal, now would be a good time take care of that: The SSA and financial institutions say they are tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have that retiree’s benefits diverted to prepaid debit cards that the crooks control.

The SSA's "my Social Security" portal.

The SSA’s “my Social Security” portal.

Traditional SSA fraud involves identity thieves tricking the beneficiary’s bank into diverting the payments to another account, either through Social Security’s 800 number or through a financial institution, or through Treasury’s Direct Express program. The newer version of this fraud involves the abuse of the SSA’s my Social Security Web portal, which opened last year and allows individuals to create online accounts with the SSA to check their earnings and otherwise interact with the agency relative to their accounts.

Jonathan Lasher, assistant inspector general for external relations at the SSA’s Office of Inspector General, said that for several years the agency was receiving about 50 such allegations a day, though those numbers have begun to decline. But thieves didn’t go away: They just changed tactics. The trouble really began earlier this year, when the Treasury started requiring that almost all beneficiaries receive payments through direct deposit (though the SSA says paper checks are still available to some beneficiaries under limited circumstances).

At the same time, the SSA added the ability to change direct deposit information via their my Social Security Web portal. Shortly thereafter, the agency began receiving complaints that identity thieves were using the portal to hijack the benefits of individuals who had not yet created an account at the site. According to Lasher, as of August 23, 2013, the SSA has received 18,417 allegations of possibly fraudulent mySocialSecurity account activity. Lasher said while some of the complaints are the result of unsuccessful attempts to open an account fraudulently, some are indeed fraud.

“Social Security has already improved security over this online feature, and we continue to work with them to make additional improvements, while also investigating allegations we receive,” Lasher said. “While it’s an issue we’re taking very seriously, it’s important to keep in mind that about 62 million people receive some type of payment from SSA every month, so the likelihood of becoming a victim is very small, particularly if you’re careful about protecting your personal information.”

Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that consumers can avoid becoming victims of this scam. Lasher said in the SSA’s systems, every record is tied to the SSN rather than a person’s name, since there are so many duplicate names.

“Of course, the one way to ensure that no one opens an account in your name is to open one yourself,” Lasher said. “Given the nature of other articles on your site, I think it’s important that I point out that there is no suggestion that SSA’s systems have been compromised; this is an identity theft scheme aimed at redirecting existing benefits, often to prepaid debit cards.”

SECRET BEST PRACTICES

Terry Maher, general counsel for the Network Branded Prepaid Card Association (NBPCA), said the SSA has begun asking verification questions of beneficiaries who use the my Social Security portal – such as the date and amount of last deposit — before allowing the transfer of payments to a different bank account.

Meanwhile, some banks with customers that have been burned by fraudulently diverted SSA payments are beginning to back away from managing SSA account payment changes for customers, Maher said. Increasingly, those banks are directing customers to make such changes at their local SSA office or at the SSA’s new portal. Maher said that’s because the government recently instituted a process for reclaiming funds that are fraudulently transferred to accounts that were not authorized by the beneficiary.

“Believe me, the banks and the prepaid card issuers and program managers are looking very closely at what their process is for this now because of the reclamation rights that the U.S. Treasury Department has,” Maher said, noting that although the U.S. government has always had the right to reclaim fraudulent transfers, it rarely ever exercised that option on Social Security payments. Now, that’s starting to change in a way that’s gotten the industry’s attention, he said.

“Some institutions have frankly decided that because of the difficulty of verifying people, they’ll refer them to the agency, while others are looking to out-of-wallet questions and Device ID solutions to better understand who they’re dealing with,” Maher said.  “The government is putting in place processes for doing that, and to make sure the incentives are there for the [financial] industry to make sure they know who they’re doing business with.”

The NBPCA’s Maher said the association has developed a set of best practices for the prepaid card industry to fight this and other growing forms of fraud involving government-to-consumer benefits. But he declined to discuss those best practices, saying it would give identity thieves and fraudsters ideas about how to get around them.

To get an idea of what those practices might entail, I reached out to Meta Payment Systems, a major prepaid card provider and whose card network was used in SSA fraud conducted against one SSA beneficiary who recently reached out to KrebsOnSecurity.

Brian Pulling, vice president of  Meta’s financial intelligence unit, said the company is seeing prepaid fraud “across virtually all types of government programs now,” and that fraud involving SSA payment diversions “seems to have kicked into high gear.”

Meta says its fraud department continuously reviews the volume of incoming automated clearing house (ACH) transfers on its prepaid platform for certain types of loads.

“Through these reviews, the fraud analysts look for certain red flags of fraud. The fraud analyst utilizes fraud industry tools to authenticate or verify information to either confirm or reject the transaction from the Social Security Administration,” the company said in a written statement. “If the ACH load is rejected due to fraud it is returned to the Social Security Administration promptly.”

WARNING SIGNS

Elaine Dodd, vice president of fraud training at the Oklahoma Bankers Association, said banks usually will alert customers if the beneficiary account for SSA payments is changed. But she said those communications typically are sent via snail mail, and that many customers will overlook such notices. One small member bank in Dodd’s state recently had complaints from two different customers whose SSA payments were diverted to prepaid accounts controlled by identity thieves.

“If we had one tiny little bank here that had two of these incidents in one day, that’s a lot,” Dodd said. “It tells me that this is a much bigger problem nationwide.”

Dodd said the pattern of fraud associated with these recent attacks on SSA beneficiaries mirrors the type of fraud being perpetrated in other types of government-to-consumer fraud, particularly tax return fraud.

“With the IRS fraud, the bad guys get people across a spectrum of ages, but with the SSA fraud, they get the elderly,” Dodd said. “To make matters worse, a lot of these victims are simply not connected to the Internet.”

Creating a my Social Security account to prevent this type of fraud is a good safeguard, but it’s also important not to introduce new threats in the process. Namely, if you’re not sure about the safety and security of your computer (or the computer used by a loved one who may be worried about this), make sure you start with a clean system before entering all of that sensitive information online. If your friend or relative needs to take care of this, consider helping them set it up using a Live CD. This approach can let anyone enter information online safely, even from a machine on which the hard drive is already infected with malicious software.

Anyone interested in additional stats on SSA fraud should see the testimony that the agency gave to Congress in June 2013.

Tags: , , , , , , , , , , , , ,

34 comments

  1. This is going to happen more often as government agencies do business online. The Obamacare health exchanges are going to be a nightmare.

    • What are you basing this statement on? Do you have knowledge of how the exchange is going to process PII? Seems like a comment based your opinion of Government agencies in general.

      Do you even know what the exchange will be providing to the folks who decide to use it?

      It is not a government benefit program, it is a mercantile based selection system which provides private health care offerings to people who decide to use it.

      It is not a mandatory system that requires everyone to register.

      Seems to be a great deal of confusion surrounding this hot political item

      • With groups on all sides spreading misinformation (if not outright lies), confusion and ignorance is inevitable.

  2. Never thought that *not* having an account somewhere could be a risk but it seems it is.

    • I heard that it’s actually a good idea to create Facebook account even if you don’t use it. This also prevents someone from acting like you.

      • FaceBook allows for many accounts with the same name. Unless you have a very unusual name, chances are there are already several accounts with your name. Having a FB account will not prevent anyone from using your name and acting like you. It’s the information associated with the name – photos, birthdays, etc – that identify you on FB.

      • I’ve had a dozen people try to create a Facebook account for this email address.

        The only advice I’ve received to counter this really annoying process is to associate it with a Facebook account.

        Note that eventually people will start hacking existing mySSN accounts by relying on password resets and similar. Today since there are proportionally few claimed accounts, it’s cheaper to hack (socially engineer) the account creation side.

  3. I have something to say on the subject of doing business with the Social Security Administration through a personal computer. Your anti-virus software might not flag all the trojans and spyware on your computer. I’m finding more spyware and more trojans using Malwarebytes than when I just use my anti-virus client. (Malwarebytes is free)

    Hope This Helps.

    • MB is great, but the real lesson to be learned is that you should rely on more than one program to provide protection. While miscreants may block themselves from being detected by one program, they often won’t block themselves from all programs.

      For decent performance you should only have one real-time scanner running and rely on the others for manual/scheduled scans.

      • Yeah tis good. Other than the IP blocking which seems to have about 50% of the internet marked as malicious 😉

      • You can have more than one real time engine going at the same time – it is just that they need to use different or overlapping technologies; the only way to know for sure is carefully examining the event viewer for errors. Needless to say using more than one AV or firewall is inadvisable unless you know what you are doing.

        Passive real time protection can be used as much as you like, and still help on the blended defense. I use Avast and MBAM together, because one is primarily an anti-virus(and greyware), and the other an anti-malware solution. I actually have several anti-malware running at the same time, but they all use different science, like host files – registry hacks – and browser blocking settings. I never have trouble with slow performance, errors, or CPU/RAM hogging. My clients have few problems, if they update their free stuff regularly.

  4. While I truly hate making it any easier for the government to intrude on my life, I guess this is important.

    And what is with the question about domestic abuse on the first page?

    What does that have to do with SS benefits?

    Thanks Brian once again for your important help.

    • Maybe the SSA uis more concerned about physical extortion of their hard earned money than making the site secure.

      One has to remember that the older folk may not be able to defend themselves and manipulation is poison for them. Some may have to unwilling to hand over their sole income to a vile relative, roommate or caregiver.

      Maybe that simple question will aid, somehow, in making the issue right, over time.

  5. I just passed the word on. Thanks as usual for keeping up with all this…

  6. Thanks, Brian. I’ve passed it on to friends with parents who are in the target group. Some of the them resist change, but it’s nice to have the information.

  7. There have also been SMS phishing attacks aimed at users of Social Security Direct Express debit cards. We’ve seen them in low volumes for a couple of years, but they ramped up in April of this year. Here are some typical messages that were forwarded to 7726 (the GSMA’s Spam Reporting System).

    “[DirectExpress] Card:533248-XXXX.Attention Call:6269320082”
    “(Call: 18664279861) Contact US Direct Express. Your Attention is needed.”
    “Call: 810-360-4452. US Direct Express 533248XX Accnt Issue.”

    Since all Direct Express cards begin with the same string of numbers, the spammers can include this to make their texts seem legitimate.

    Andrew Conway, Research Analyst, Cloudmark Inc.

  8. The Utah Data Center/N.S.A./ Area 51/Room 641A/XKeyscore/PRISM

    Interesting article

  9. When I signed up for social security, I used the SSA website and was frustrated that it only allowed an all numeric password. When are they going to get realistic and allow for alphanumeric special character upper & lower case components of the password.

    • It depends on the age of the individual who is creating these accounts, I guess. I think it would be easier to remember some numbers than trying to remember what password you have entered in.

      But the crooks know that the elderly will probably use their SSN, Phone Number, House Number, DOB or combinations of those to come up with a numbered password.

      I think the lockout should be set to 10 tries, that seems like a fair amount for the elder-folk. Those that are on SSA – at least the vast majority, are probably on the fringe when computers were coming online, so its tough to tell whether they have much skills on the PC. So keeping it simple for them may be the right way.

      Just make it the requirement 11 or more numbers, so they cannot simply enter thier phone number in and think they are safe.

  10. After this article SSA fraud will rise 5000 % guarantied , all thanks to Brian 🙂 He always brings new ideas to the masses .Respect .

    Some times i think he actually doing this for criminals .I mean who needs all this details !! it like a manual how to steal from SSA . sweet .That must why they love you so much .. this website is a gold mine for a criminals …

    • Your name should be “Mr. Cynical.”

    • Yes it is much better to not cover it and let the issue persist because they don’t feel it merits enough attention to fix it… Security through obscurity eh?

    • He is actually educating how people not to fall for any scam / fraud online. The master-minds in the online crime a way ahead of Mr. Krebs. Also it is showing a real example of a working scam.

  11. Today I tried to access http://www.ssa.gov/myaccount and setup an account, and was informed that it could not do it. I also tried logging in with my original name and the number – again no luck. Have they shut this down? I am 68 and use direct deposit.

      • Thanks Brian. Really enjoy your column. Still doesn’t work for me…. Sure don’t want to sit on the phone. There is certainly nothing weird about me.
        John

        • Brian, I suspect my problem is because I have credit checking blocked. This is becoming so common, they should pass on the error. And make it known up front.
          Now I have to go pay to unblock, if only I knew WHICH credit site they use!
          John

          • I went there too, but used an independent link in another search. Despite having a previous account they acted like they never heard of me. I had them send my a temporary code in my email so I could recover the account. After answering some pointed questions and redoing my security questions, I had success.

            I think they assume it is safer to just blow away the old account links and start over to be completely safe. I can’t really blame them. I was impressed with how they refuse all but the most secure passwords now.They have definitely ramped up security over there, compared with where they were two years ago.

            • Same with me. Login doesn’t work, no account found. I used it initially to set up deposit accounts but that was 3 years ago now. Looks like they just blew the accounts away. I do not have my credit files locked. Could be that not using it for some period of time gets it removed. All payments have been regular as clockwork.

    • I had the same thing happen to me. When I contacted SSA about it they said Experian has a fraud hold on my credit report, which tells us a couple of things, good things I think. One is that SSA is cross-refing new account creation attempts with the credit bureaus, and another is that the credit bureaus are actively policing the reports in their custody and placing fraud alerts on some or all of them. I still need to look into that and decide if I want Experian to lift the fraud alert so I can create an SSA online account. After reading this article I think I’d better get on that right away.

  12. I just went to the portal – and it’s only open from 5AM to 1AM Eastern Time. Well, it’s 12:20 AM Pacific Time here, gov. It’s a WEB SITE. Stay open 24 hours!

    I’m also waiting to see what sort of “verification questions” they use, since it’s almost trivial for anyone with a social media presence to have given out most of those answers already, for hackers to slurp up and use.

    • Simple solution: DON’T post those kinds of things on your social media account, and/or DON’T use question/responses that are about the information you have posted. I sometimes make up fantasy responses (and record them so I know later what they are), for websites who don’t offer anything but the most common sort of verification questions.

  13. I’ve found that one cannot register if one does not have a US mailing address. Having read the foregoing comments, I assume that’s because there is no record of me at the credit checking bureaux. Why should I, and others in the same situation, be left exposed?

  14. And in the always-on-top-of-things-when-it-comes-to-security department: The link bandied about for this service is http://www.ssa.gov. Since this is a site at which you’ll be entering important personal information, it’s prudent to connect to it using https. But … https://www.ssa.gov produces and “invalid certificate” error, because it serves up a certificate for http://www.socialsecurity.gov.

    There are a number of ways to fix this, and I won’t attempt to advise on the best approach. But it’s clear that the administrators of the Social Security site need to work a bit harder in setting it up.

    — Jerry


#####EOF##### #####EOF##### Supply Chain Security 101: An Expert’s View — Krebs on Security

12
Oct 18

Supply Chain Security 101: An Expert’s View

Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain security, and I asked Sager whether he’d heard anything about rumors that Supermicro — a high tech firm in San Jose, Calif. — had allegedly inserted hardware backdoors in technology sold to a number of American companies.

Tony Sager, senior vice president and chief evangelist at the Center for Internet Security.

The event Sager and I spoke at was prior to the publication of Bloomberg Businessweek‘s controversial story alleging that Supermicro had duped almost 30 companies into buying backdoored hardware. Sager said he hadn’t heard anything about Supermicro specifically, but we chatted at length about the challenges of policing the technology supply chain.

Below are some excerpts from our conversation. I learned quite bit, and I hope you will, too.

Brian Krebs (BK): Do you think Uncle Sam spends enough time focusing on the supply chain security problem? It seems like a pretty big threat, but also one that is really hard to counter.

Tony Sager (TS): The federal government has been worrying about this kind of problem for decades. In the 70s and 80s, the government was more dominant in the technology industry and didn’t have this massive internationalization of the technology supply chain.

But even then there were people who saw where this was all going, and there were some pretty big government programs to look into it.

BK: Right, the Trusted Foundry program I guess is a good example.

TS: Exactly. That was an attempt to help support a U.S.-based technology industry so that we had an indigenous place to work with, and where we have only cleared people and total control over the processes and parts.

BK: Why do you think more companies aren’t insisting on producing stuff through code and hardware foundries here in the U.S.?

TS: Like a lot of things in security, the economics always win. And eventually the cost differential for offshoring parts and labor overwhelmed attempts at managing that challenge.

BK: But certainly there are some areas of computer hardware and network design where you absolutely must have far greater integrity assurance?

TS: Right, and this is how they approach things at Sandia National Laboratories [one of three national nuclear security research and development laboratories]. One of the things they’ve looked at is this whole business of whether someone might sneak something into the design of a nuclear weapon.

The basic design principle has been to assume that one person in the process may have been subverted somehow, and the whole design philosophy is built around making sure that no one person gets to sign off on what goes into a particular process, and that there is never unobserved control over any one aspect of the system. So, there are a lot of technical and procedural controls there.

But the bottom line is that doing this is really much harder [for non-nuclear electronic components] because of all the offshoring now of electronic parts, as well as the software that runs on top of that hardware.

BK: So is the government basically only interested in supply chain security so long as it affects stuff they want to buy and use?

TS: The government still has regular meetings on supply chain risk management, but there are no easy answers to this problem. The technical ability to detect something wrong has been outpaced by the ability to do something about it.

BK: Wait…what?

TS: Suppose a nation state dominates a piece of technology and in theory could plant something inside of it. The attacker in this case has a risk model, too. Yes, he could put something in the circuitry or design, but his risk of exposure also goes up.

Could I as an attacker control components that go into certain designs or products? Sure, but it’s often not very clear what the target is for that product, or how you will guarantee it gets used by your target. And there are still a limited set of bad guys who can pull that stuff off. In the past, it’s been much more lucrative for the attacker to attack the supply chain on the distribution side, to go after targeted machines in targeted markets to lessen the exposure of this activity.

BK: So targeting your attack becomes problematic if you’re not really limiting the scope of targets that get hit with compromised hardware.

TS: Yes, you can put something into everything, but all of a sudden you have this massive big data collection problem on the back end where you as the attacker have created a different kind of analysis problem. Of course, some nations have more capability than others to sift through huge amounts of data they’re collecting.

BK: Can you talk about some of the things the government has typically done to figure out whether a given technology supplier might be trying to slip in a few compromised devices among an order of many?

TS: There’s this concept of the “blind buy,” where if you think the threat vector is someone gets into my supply chain and subverts the security of individual machines or groups of machines, the government figures out a way to purchase specific systems so that no one can target them. In other words, the seller doesn’t know it’s the government who’s buying it. This is a pretty standard technique to get past this, but it’s an ongoing cat and mouse game to be sure.

BK: I know you said before this interview that you weren’t prepared to comment on the specific claims in the recent Bloomberg article, but it does seem that supply chain attacks targeting cloud providers could be very attractive for an attacker. Can you talk about how the big cloud providers could mitigate the threat of incorporating factory-compromised hardware into their operations?

TS: It’s certainly a natural place to attack, but it’s also a complicated place to attack — particularly the very nature of the cloud, which is many tenants on one machine. If you’re attacking a target with on-premise technology, that’s pretty simple. But the purpose of the cloud is to abstract machines and make more efficient use of the same resources, so that there could be many users on a given machine. So how do you target that in a supply chain attack?

BK: Is there anything about the way these cloud-based companies operate….maybe just sheer scale…that makes them perhaps uniquely more resilient to supply chain attacks vis-a-vis companies in other industries?

TS: That’s a great question. The counter positive trend is that in order to get the kind of speed and scale that the Googles and Amazons and Microsofts of the world want and need, these companies are far less inclined now to just take off-the-shelf hardware and they’re actually now more inclined to build their own.

BK: Can you give some examples?

TS: There’s a fair amount of discussion among these cloud providers about commonalities — what parts of design could they cooperate on so there’s a marketplace for all of them to draw upon. And so we’re starting to see a real shift from off-the-shelf components to things that the service provider is either designing or pretty closely involved in the design, and so they can also build in security controls for that hardware. Now, if you’re counting on people to exactly implement designs, you have a different problem. But these are really complex technologies, so it’s non-trivial to insert backdoors. It gets harder and harder to hide those kinds of things.

BK: That’s interesting, given how much each of us have tied up in various cloud platforms. Are there other examples of how the cloud providers can make it harder for attackers who might seek to subvert their services through supply chain shenanigans?

TS: One factor is they’re rolling this technology out fairly regularly, and on top of that the shelf life of technology for these cloud providers is now a very small number of years. They all want faster, more efficient, powerful hardware, and a dynamic environment is much harder to attack. This actually turns out to be a very expensive problem for the attacker because it might have taken them a year to get that foothold, but in a lot of cases the short shelf life of this technology [with the cloud providers] is really raising the costs for the attackers.

When I looked at what Amazon and Google and Microsoft are pushing for it’s really a lot of horsepower going into the architecture and designs that support that service model, including the building in of more and more security right up front. Yes, they’re still making lots of use of non-U.S. made parts, but they’re really aware of that when they do. That doesn’t mean these kinds of supply chain attacks are impossible to pull off, but by the same token they don’t get easier with time.

BK: It seems to me that the majority of the government’s efforts to help secure the tech supply chain come in the form of looking for counterfeit products that might somehow wind up in tanks and ships and planes and cause problems there — as opposed to using that microscope to look at commercial technology. Do you think that’s accurate?

TS: I think that’s a fair characterization. It’s a logistical issue. This problem of counterfeits is a related problem. Transparency is one general design philosophy. Another is accountability and traceability back to a source. There’s this buzzphrase that if you can’t build in security then build in accountability. Basically the notion there was you often can’t build in the best or perfect security, but if you can build in accountability and traceability, that’s a pretty powerful deterrent as well as a necessary aid.

BK: For example….?

TS: Well, there’s this emphasis on high quality and unchangeable logging. If you can build strong accountability that if something goes wrong I can trace it back to who caused that, I can trace it back far enough to make the problem more technically difficult for the attacker. Once I know I can trace back the construction of a computer board to a certain place, you’ve built a different kind of security challenge for the attacker. So the notion there is while you may not be able to prevent every attack, this causes the attacker different kinds of difficulties, which is good news for the defense.

BK: So is supply chain security more of a physical security or cybersecurity problem?

TS: We like to think of this as we’re fighting in cyber all the time, but often that’s not true. If you can force attackers to subvert your supply chain, they you first off take away the mid-level criminal elements and you force the attackers to do things that are outside the cyber domain, such as set up front companies, bribe humans, etc. And in those domains — particularly the human dimension — we have other mechanisms that are detectors of activity there.

BK: What role does network monitoring play here? I’m hearing a lot right now from tech experts who say organizations should be able to detect supply chain compromises because at some point they should be able to see truckloads of data leaving their networks if they’re doing network monitoring right. What do you think about the role of effective network monitoring in fighting potential supply chain attacks.

TS:  I’m not so optimistic about that. It’s too easy to hide. Monitoring is about finding anomalies, either in the volume or type of traffic you’d expect to see. It’s a hard problem category. For the US government, with perimeter monitoring there’s always a trade off in the ability to monitor traffic and the natural movement of the entire Internet towards encryption by default. So a lot of things we don’t get to touch because of tunneling and encryption, and the Department of Defense in particular has really struggled with this.

Now obviously what you can do is man-in-the-middle traffic with proxies and inspect everything there, and the perimeter of the network is ideally where you’d like to do that, but the speed and volume of the traffic is often just too great.

BK: Isn’t the government already doing this with the “trusted internet connections” or Einstein program, where they consolidate all this traffic at the gateways and try to inspect what’s going in and out?

TS: Yes, so they’re creating a highest volume, highest speed problem. To monitor that and to not interrupt traffic you have to have bleeding edge technology to do that, and then handle a ton of it which is already encrypted. If you’re going to try to proxy that, break it out, do the inspection and then re-encrypt the data, a lot of times that’s hard to keep up with technically and speed-wise.

BK: Does that mean it’s a waste of time to do this monitoring at the perimeter?

TS: No. The initial foothold by the attacker could have easily been via a legitimate tunnel and someone took over an account inside the enterprise. The real meaning of a particular stream of packets coming through the perimeter you may not know until that thing gets through and executes. So you can’t solve every problem at the perimeter. Some things only become obvious and make sense to catch them when they open up at the desktop.

BK: Do you see any parallels between the challenges of securing the supply chain and the challenges of getting companies to secure Internet of Things (IoT) devices so that they don’t continue to become a national security threat for just about any critical infrastructure, such as with DDoS attacks like we’ve seen over the past few years?

TS: Absolutely, and again the economics of security are so compelling. With IoT we have the cheapest possible parts, devices with a relatively short life span and it’s interesting to hear people talking about regulation around IoT. But a lot of the discussion I’ve heard recently does not revolve around top-down solutions but more like how do we learn from places like the Food and Drug Administration about certification of medical devices. In other words, are there known characteristics that we would like to see these devices put through before they become in some generic sense safe.

BK: How much of addressing the IoT and supply chain problems is about being able to look at the code that powers the hardware and finding the vulnerabilities there? Where does accountability come in?

TS: I used to look at other peoples’ software for a living and find zero-day bugs. What I realized was that our ability to find things as human beings with limited technology was never going to solve the problem. The deterrent effect that people believed someone was inspecting their software usually got more positive results than the actual looking. If they were going to make a mistake – deliberately or otherwise — they would have to work hard at it and if there was some method of transparency, us finding the one or two and making a big deal of it when we did was often enough of a deterrent.

BK: Sounds like an approach that would work well to help us feel better about the security and code inside of these election machines that have become the subject of so much intense scrutiny of late.

TS: We’re definitely going through this now in thinking about the election devices. We’re kind of going through this classic argument where hackers are carrying the noble flag of truth and vendors are hunkering down on liability. So some of the vendors seem willing to do something different, but at the same time they’re kind of trapped now by the good intentions of open vulnerability community.

The question is, how do we bring some level of transparency to the process, but probably short of vendors exposing their trade secrets and the code to the world? What is it that they can demonstrate in terms of cost effectiveness of development practices to scrub out some of the problems before they get out there. This is important, because elections need one outcome: Public confidence in the outcome. And of course, one way to do that is through greater transparency.

BK: What, if anything, are the takeaways for the average user here? With the proliferation of IoT devices in consumer homes, is there any hope that we’ll see more tools that help people gain more control over how these systems are behaving on the local network?

TS: Most of [the supply chain problem] is outside the individual’s ability to do anything about, and beyond ability of small businesses to grapple with this. It’s in fact outside of the autonomy of the average company to figure it out. We do need more national focus on the problem.

It’s now almost impossible to for consumers to buy electronics stuff that isn’t Internet-connected. The chipsets are so cheap and the ability for every device to have its own Wi-Fi chip built in means that [manufacturers] are adding them whether it makes sense to or not. I think we’ll see more security coming into the marketplace to manage devices. So for example you might define rules that say appliances can talk to the manufacturer only. 

We’re going to see more easy-to-use tools available to consumers to help manage all these devices. We’re starting to see the fight for dominance in this space already at the home gateway and network management level. As these devices get more numerous and complicated, there will be more consumer oriented ways to manage them. Some of the broadband providers already offer services that will tell what devices are operating in your home and let users control when those various devices are allowed to talk to the Internet.


Since Bloomberg’s story broke, The U.S. Department of Homeland Security and the National Cyber Security Centre, a unit of Britain’s eavesdropping agency, GCHQ, both came out with statements saying they had no reason to doubt vehement denials by Amazon and Apple that they were affected by any incidents involving Supermicro’s supply chain security. Apple also penned a strongly-worded letter to lawmakers denying claims in the story.

Meanwhile, Bloomberg reporters published a follow-up story citing new, on-the-record evidence to back up claims made in their original story.

Tags: , , , , , , ,

45 comments

  1. Data exfiltration might be the least of my concerns; I’d be more worried about an embedded one-shot kill switch that’s undetectable until the moment it’s used.

    No need for outbound traffic if the data isn’t what you’re really after.

  2. that thing is so funny. I am going to share that.

  3. It shocks me that organizations outside of regulated industries (e.g., financial services) still to this day do not vet their third parties. Industries need to wake up to the threat of intellectual property being stolen by their supply chain and assessing them is a must to ensure their in alignment with your overall security, continuity, and privacy postures.


#####EOF##### #####EOF##### Advertising/Speaking — Krebs on Security

Advertising/Speaking

Speaking

Krebs is a top-ranked global speaker. To contact him for speaking requests please email Jasmine Dhir at Jasmine@allamericanentertainment.com

Advertising

Founded in 2009, KrebsOnSecurity is a top source for investigative reporting on cybercrime and Internet security. With 850,000 to 1.5 million pageviews a month and approximately 700,000 – 1 million unique visitors monthly, KrebsOnSecurity maintains a fiercely loyal following, while constantly attracting new readers. This blog’s audience includes a broad cross-section of financial services industry executives, as well as decision-makers and experts in the technology and security products and services space.

Currently we  support a 300×250 pixel box in the premium upper right side location, and a 728×90 leaderboard banner across the top. We also offer a 468×60 spot that runs at the end of every story.

All advertising is based on the industry standard CPM model. Ad images must be approved before running.

For information on rates and availability, please fill out the form below.

Contact Form:

Your Name (required)

Your Email (required)

Subject

Your Message


#####EOF##### First ‘Jackpotting’ Attacks Hit U.S. ATMs — Krebs on Security

27
Jan 18

First ‘Jackpotting’ Attacks Hit U.S. ATMs

ATM “jackpotting” — a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand — has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics — often a combination of both — to control the operations of the ATM.

A keyboard attached to the ATM port. Image: FireEye

On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.

On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The NCR memo does not mention the type of jackpotting malware used against U.S. ATMs. But a source close to the matter said the Secret Service is warning that organized criminal gangs have been attacking stand-alone ATMs in the United States using “Ploutus.D,” an advanced strain of jackpotting malware first spotted in 2013.

According to that source — who asked to remain anonymous because he was not authorized to speak on the record — the Secret Service has received credible information that crooks are activating so-called “cash out crews” to attack front-loading ATMs manufactured by ATM vendor Diebold Nixdorf.

The source said the Secret Service is warning that thieves appear to be targeting Opteva 500 and 700 series Dielbold ATMs using the Ploutus.D malware in a series of coordinated attacks over the past 10 days, and that there is evidence that further attacks are being planned across the country.

“The targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs,” reads a confidential Secret Service alert sent to multiple financial institutions and obtained by KrebsOnSecurity. “During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM.

Reached for comment, Diebold shared an alert it sent to customers Friday warning of potential jackpotting attacks in the United States. Diebold’s alert confirms the attacks so far appear to be targeting front-loaded Opteva cash machines.

“As in Mexico last year, the attack mode involves a series of different steps to overcome security mechanism and the authorization process for setting the communication with the [cash] dispenser,” the Diebold security alert reads. A copy of the entire Diebold alert, complete with advice on how to mitigate these attacks, is available here (PDF).

The Secret Service alert explains that the attackers typically use an endoscope — a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body — to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer.

An endoscope made to work in tandem with a mobile device. Source: gadgetsforgeeks.com.au

“Once this is complete, the ATM is controlled by the fraudsters and the ATM will appear Out of Service to potential customers,” reads the confidential Secret Service alert.

At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash.

“In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds,” the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert.

An 2017 analysis of Ploutus.D by security firm FireEye called it “one of the most advanced ATM malware families we’ve seen in the last few years.”

“Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had never been seen before,” FireEye’s Daniel Regalado wrote.

According to FireEye, the Ploutus attacks seen so far require thieves to somehow gain physical access to an ATM — either by picking its locks, using a stolen master key or otherwise removing or destroying part of the machine.

Regalado says the crime gangs typically responsible for these attacks deploy “money mules” to conduct the attacks and siphon cash from ATMs. The term refers to low-level operators within a criminal organization who are assigned high-risk jobs, such as installing ATM skimmers and otherwise physically tampering with cash machines.

“From there, the attackers can attach a physical keyboard to connect to the machine, and [use] an activation code provided by the boss in charge of the operation in order to dispense money from the ATM,” he wrote. “Once deployed to an ATM, Ploutus makes it possible for criminals to obtain thousands of dollars in minutes. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”

Indeed, the Secret Service memo shared by my source says the cash out crew/money mules typically take the dispensed cash and place it in a large bag. After the cash is taken from the ATM and the mule leaves, the phony technician(s) return to the site and remove their equipment from the compromised ATM.

“The last thing the fraudsters do before leaving the site is to plug the Ethernet cable back in,” the alert notes.

FireEye said all of the samples of Ploutus.D it examined targeted Diebold ATMs, but it warned that small changes to the malware’s code could enable it to be used against 40 different ATM vendors in 80 countries.

The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack.

This is a quickly developing story and may be updated multiple times over the next few days as more information becomes available.

Tags: , , , , , , , , , , ,

114 comments

  1. So apparently the ATM companies don’t have a way of detecting this kind of tampering in real time and alerting the police or someone else to go on site and see what is going on? I realize the machine can go off-line for a number of reasons but don’t the machines have cameras they could immediately check? Even if video from the camera is lost due to tampering, they could have the last few minutes saved to check what is going on.

    • So, imagine you’re one of these proprietors, you have hundreds or maybe thousands of locations to monitor. You’re technically subcontracting to a bank, pharmacy or other institution, so whatever surveillance you’re rocking would have to piggyback off that- and whatever “that” is may not be so great.

      For the vast majority of different possible scenarios, the thing to do is probably lodge the DVR inside the ATM unit. So while video is constantly recorded, it isn’t generally actively checked.

      It’s checked when there’s a problem- as is the case with most video surveillance systems.

      • I didn’t mean watch it constantly. I meant coudn’t they react to a machine going off-line by checking the past few minutes of video to see no-one was tampering with it. And more generally, I meant I’m surprised that these people can tamper with a machine without being somehow detected. Like there is no notice when someone connects to the devices port. I understand, though, that checking such alerts and keeping track of whether maintenance is scheduled for the machine may be a lot of work. I guess hardening those machines somehow to make the port more difficult to access may a cheaper way of protection…

        • It’s all a matter of scale.

          How much is the loss? How often does the loss occur? How much will it cost to deploy a defense? Is the defense more or less expensive then accepting the loss? Will accepting the loss increase the number of losses over time?

          You can turn every ATM into a fortress, but that’s not an effective use of funds. Why do you think that so many machines are still running XP? Because it’s cheap.

        • Oh, there has to be a built in security system. But it’s not for security. It needs to be filled. So, it has to call home, to get more money. There are things that it has to do to maintain, and make money for it’s owner. Like, it has to call Banks to check if the card is issued to this requestor, if there is money to back this request, if the service door is open, etc, etc. But, what they cannot do is more telling. It cannot verify its location, os, or it’s programs like an imbed system could. Does not being imbed make it safer? Logical fallicies on both sides. Especially the arguements on os. The owner will always err on the side of least cost.

        • Generally, ATM aren’t monitored that way, no.

    • Wouldn’t a slight electrical charge on all of the access ports be enough that way then if something was plugged into any of the ports it would trip the electrical charge and let the system know something was plugged in

    • OK, so I worked for a subsidiary of NCR corporation from 1995 to 2003, on software to monitor ATMs. I am well outside my NDA, etc. Also, this is dated, and both times I left NCR it was not on the best of possible terms.

      So sure, a big ATM is always connected to the network, has a lot of tamper sensors and vandalism sensors, and if you trip any of them at most US banks, the software that I used to particiapte in is going to have a cop at that ATM within moments.

      These little kiosk ATMs, though, used to be primarily dial up. Social engineering access to them is trivial, and they have no real way to report any tamper. Once you have the social engineering for access, it’d be relatively easy I would imagine – have your cell out, once you get everything in place, send a text – have someone come in and distract the clerk, activate the jackpot. As long as nobody else is near you in the store, they have to figure out when the money disappeared.

      They will start, there, looking at tapes around when it was filled, by whom it was last filled – and so in this scheme, you’re reliant on asking the right employee to find out “oh, there was someone servicing the ATM,” and then reliant also on there being enough information in the video tape to catch them.

      The immediate trend would be to blame whoever last filled the ATM, and then only after to look at the tape.

      • Interesting information. I guess a low cost solution would be a well placed steel plate right on top of any connectors that thieves must not get access to. Like so close there is no way to get in between the plate and the connectors. I don’t think they can drill through it unnoticed even if they are wearing maintenance personnel clothes.

    • There are alarms and alerts on most ATMs for this type of activity. The problem, at least in my personal experience, is that these alerting systems will blast out e-mails every time a mosquito farts within a mile of the machine. They start to get ignored real quick.

  2. allriight,i still think windows 7 is best, also we russians and best parts of eastern europeans like number 7 ,better is triple 777 thats why we put 777 on our nice cars license plates.
    and yes,windows 7 is best whoever says its not then they wrong,i refuse to use other then windows 7 i dont like windows 8 absaloutely,i dont like it.
    7 is best !!

  3. ye,u know..i heared dumps are best jobs,means instore carding.,..me i dont like that, i think i dont like this msr thing to copy cards,not my field,however i heared many many guys living of this kind of business. but i like more just cryptocurrency..bitcoins are my field of work

  4. This has been a problem in the Pacific Northwest. A security company I work with mentioned that some perps who were behind those heists were arrested. That company has been busy implementing additional security devices on various Diebold ATMs.

    Although some banks have taken additional security measures, the perps are able to defeat them. Some banks are resorting to a hardware solution with additional security monitoring. Certain algorithms based on behavior will shutdown the ATM as I understand.

  5. Wiki says “a small number of deployments may still be running older versions of the Windows OS, such as Windows NT, Windows CE, or Windows 2000.”

    I expect those ATMs will soon be making their way to a banking museum near you.

    • You might be surprised, vendors are astonishingly slow to update.

      • That was the original promise of thin clients, to get away from the sheer cost of thick PC lifecycle. It’s typically $500/year/unit in support costs. But you then had a reliance on a backend.

        Then BSD and Linux embedded took off in the late ’90s. This was the best-of-both worlds, a client/server architecture with still enough to work standalone, all while updating quick with 1/10th the support costs (sub-$50/year/unit). If it was good enough for launch systems and space probes at NASA, it was good enough for financial.

        Unfortunately, Microsoft sales made it’s efforts, and pried on mainatream IT assumptions. Already embedded heavy and UNIX-csntric industries didn’t listen, and Microsoft lost set-tops and swathes of retail, let alone 100% of the backend trading industry (sans the infamous LSE that blew up on Microsoft-Accenture in 2008).

        But Microsoft got ATMs and voting machines, because enough stakeholders and decision makers were used to fat PCs.

    • it’s costly to do update ATM’s (which means buying new ones and paying techs to install them). this sort of thing is a wakeup call though, that’s for sure.

  6. These ATMs typically can be opened using a generic key. So changing the lock to use a key specific to the owner of the ATM would deter. Also there are switches in the ATM that alarm (when they are used) the network that someone has accessed the top hat of the ATM. When the device communication or software is interrupted in any way, a status is sent to the host. If they cut the comm connection a status is sent to the host. If the ATM owner has set a secure password on the PC core which will not allow booting from the CD or anything except the hard drive that will be a deterrent also.
    In the end there are security measures already present in the ATMs but unfortunately (for the owners) they are not being used.
    That is why the message from the OEM is if you are not using the security measures as they stand, they will not be responsible for losses.

  7. ATMs can have tamper sensors for things like “chassis was opened”, but not so much for “tiny hole was drilled in the side and an endoscope was slid inside”. There are sensors for hardware being moved around inside the chassis, but I am not sure how widely used they are since they cost more.
    Someone does typically gets notified when an ATM goes offline. If the ATM is at a bank branch, you can get someone (who has hopefully had training) to check it out within minutes so probably not the best target.
    If it is a standalone ATM in a gas station or grocery store, then you likely have to send a technician from the manufacturer which takes time. You have nobody onsite that is trained or that you can trust to go inspect the ATM, nobody to call and ask to “just go see if there is anybody standing around it pretending to be a technician”.
    “Checking the cameras” is great in theory, but they can be defeated by a hoodie, a ball cap, or some sunglasses.

    I do wonder why it makes a difference if the ATM is running Windows XP or 7 when the attacker is plugging in their own software. The protections available at the OS level, all of them, would be bypassed because that OS would no longer be active.

    • I’d imagine the Windows XP / Windows 7 ordeal would be more about how windows treats (or has configured) plug-and-play devices such as USB keys. It’s likely you can get XP to automatically execute code on a USB key that is pretending to be a CD-ROM drive, where the latter ATMs will have been configured to disable Autoplay.

  8. Microsoft used to offer a stripped down version of Windows 7 called Windows Thin PC that allowed Windows 7 to be run on older hardware.

    I suggested investigating Windows Thin PC to a former employer in order to both let us continue using our …antiquated hardware and make the network more secure, but was told that I didn’t know what I was talking about because I don’t have an IT degree.

    At last count, the company was converting the Windows XP Pro desktops to thin client machines because the up-front costs were cheaper than replacing them with newer computers running Windows 7 Pro or Windows 10 pro.

  9. So this is how the DNC funds wars on behalf of local charity fraud!

  10. I’ve seen ATM’s left open before by the people servicing them; let alone, people actively trying to rob them.

    I came across one that was open with both cans full of 20’s, so at least a couple grand, and stayed that way for about 2 hours until I called the service provider.

    If they care that little about the cash being unprotected, then updating O/S or put in greater security measures can’t be high on their priority list.

  11. Not sure if they are copying, or have independent material, but a lot of similarities between their story and yours without reference:

    https://www.yahoo.com/gma/secret-warns-banks-coming-wave-atm-jackpotting-attacks-165004843–abc-news-topstories.html

  12. Why can’t we live in peace? (¬_¬)

  13. If they cant be bothered to update the OS beyond 95 what make you think for a second they will spend a dime on video or security. Please it is all about the numbers. They loose 2 or 3 thousand in one day but make a cool Mil over a year. Tax write off (we pay), Insurance write off (we pay). They fix they collect (we still pay). See how the game works. They still get payed no matter what happens and we still pay 4 to 5 dollars per transaction.

    • Because fat PCs, even the ‘Embedded NT/XP/et al editions, still cost $500+/year/unit in support.

      Microsoft got the ATM market by the mid ’00s, and they’ve been stuck with this reality.

      All OSes have network security holes, but Windows really stinks on physical access security, msinly due to how WinForms works with taskmgr.exe.

      • I mean, if I’m Diebold and IBM, why use the more appropriate, easier to support, OS-build let fecycle when a customer asks for fat PC Windiws at 5-10x the recurring lifecycle support costs? Engineering took a backseat to Professional Services.

        In lower margin industries like set tops, of course they wouldn’t even remotely look at this. The US Military also stopped doing it after the carrier fiasco in the US Navy. But ATMs and voting machines continue to be ‘fatter,’ at odds with all other trends, from military to retail.

        Why? Because customers are willing to pay and deal with the issues.

  14. What interests me is that there are actually sophisticated crews doing these jobs. Obvithey are highly tech savvy? So this is a more lucrative/attractive job for the low level members than working a legit job…that means it must be too easy. Higher-ups will be dedicated highly intelligent types but the lowest members most likely not. It would seem LE would have more HUMINT on these types of networks….

  15. R.I.P. Barnaby Jack.

  16. Jackpotting LOL, Yesterday I have seen An Scanner On the ATM machine that Catches our Debit card details.

    Be aware to use your debit card because thefts are attaching a scanner On ATM machines.

  17. I’ll pass this along, so people keep their eyes open.

  18. This has been occurring since 2013 here in the U.S., it’s not anything new nor is it something that originated in Mexico. How logical or responsible is it to name one specific country as being the first place ploutos was used? Do you think any ATM company or financial institution wants to broadcast that they were outsmarted and compromised? It’s disappointing television news outlets are reporting on this and your article isn’t even accurate.

  19. Very good reading – informative – I have seen these scams done and the effect it had on people i.e. personal identification fraud etc.


#####EOF##### Firefox Zero-Day Used in Child Porn Hunt? — Krebs on Security

04
Aug 13

Firefox Zero-Day Used in Child Porn Hunt?

A claimed zero-day vulnerability in Firefox 17 has some users of the latest Mozilla Firefox browser (Firefox 22) shrugging their shoulders. Indeed, for now it appears that this flaw is not a concern for regular, up-to-date Firefox end users. But several experts say the vulnerability was instead exposed and used in tandem with a recent U.S. law enforcement effort to discover the true Internet addresses of people believed to be browsing child porn sites via the Tor Browser — an online anonymity tool powered by Firefox 17.

Freedom Hosting's Wiki page on the Tor network's HiddenWiki page.

Freedom Hosting’s entry on the Tor network’s The Hidden Wiki page.

Tor software protects users by bouncing their communications across a distributed network of relays run by volunteers all around the world. As the Tor homepage notes, it prevents anyone who might be watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets users access sites that are blocked by Internet censors.

The Tor Browser bundle also is the easiest way to find Web sites that do not want to be easily taken down, such as the Silk Road (a.k.a. the “eBay of hard drugs“) and sites peddling child pornography.

On Saturday, Aug. 3, 2013, Independent.ie, an Irish news outlet, reported that U.S. authorities were seeking the extradition of Eric Eoin Marques, a 28-year-old with Irish and American citizenship reportedly dubbed by the FBI as “the largest facilitator of child porn on the planet.” According to the Independent, Marques was arrested on a Maryland warrant that includes charges of distributing and promoting child porn online.

The Tor Project’s blog now carries a post noting that at approximately midnight on August 4th “a large number of hidden service addresses disappeared from the Tor Network, sites that appear to have been tied to an organization called Freedom Hosting — a hosting service run on the Tor Network allegedly by Marques.

torHidden services can be used to run a variety of Web services that are not directly reachable from a normal Internet connection — from FTP and IRC servers to Web sites. As such, the Tor Network is a robust tool for journalists, whistleblowers, dissidents and others looking to publish information in a way that is not easily traced back to them.

“There are rumors that a hosting company for hidden services is suddenly offline and/or has been breached and infected with a javascript exploit,” writes “phobos,” a Tor Project blogger. Phobos notes that the person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research, and continues:

“The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.”

Even if the claimed vulnerability is limited to Firefox version 17, such a flaw would impact far more than just Tor bundle users. Mozilla says it has been notified of a potential security vulnerability in Firefox 17, which is currently the extended support release (ESR) version of Firefox. Last year, Mozilla began offering an annual ESR of Firefox for enterprises and others who didn’t want to have to keep up with the browser’s new rapid release cycle.

“We are actively investigating this information and we will provide additional information when it becomes available,” Michael Coates, director of security assurance at Mozilla, wrote in a brief blog post this evening.

Ofir David, head of intelligence for Israeli cybersecurity firm Cyberhat, said he believes the now-public exploit code is indeed related to Marques’ arrest.  David said someone appears to have gained access to Freedom Hosting and injected malicious HTML code that checks the visitor’s browser to see if he is using Firefox 17. If so, the code silently redirects that visitor’s browser to another site which generates a unique identifier called a ‘UUID.'”

firefoxiconDavid said that although the exploit can be used to download and run malicious code on the visitor’s computer, whoever infiltrated Freedom Hosting appear to have only used the exploit to gather the true Internet addresses of people visiting the child porn sites hosted there.

“Ironically, all [the malicious code] does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID,” David said. “That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user.”

For more on this developing story, check out this Reddit thread. Also, Mozilla has an open Bugzilla entry analyzing the exploit code.

Update, Aug. 5, 1:45 a.m. ET: Reverse engineer Vlad Tsrklevich has posted a brief analysis of what the exploit does. His conclusion (which seems sound):  “Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an [law enforcement agency] and not by blackhats.”

Also, here’s a bit more from Mozilla’s security lead Dan Veditz on the vulnerability:

“The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7. The vulnerability used is MFSA 2013-53

People who are on the latest supported versions of Firefox are not at risk.

Although the vulnerability affects users of Firefox 21 and below the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack.”

Update, Aug. 5, 4:08 p.m., ET: Kevin Poulsen from Wired.com notes that, according to a domaintools.com lookup, the IP address used by the malicious script’s controllers found by Tsrklevich resolves to a Verizon address space that is managed by Science Applications International Corp. (SAIC), an American defense contractor headquartered in Tysons Corner, Va.

Tags: , , , , , , ,

218 comments

  1. I don’t think anyone here has mentioned it yet, but the “malicious HTML code” is being picked up by multiple AVs now.

    Here’s a scan of the .js Krebs posted ( http://pastebin.mozilla.org/2777139 )

    https://www.virustotal.com/latest-scan/7d657aba8d25eba8fe54cbf2c4883960

    Some people were wondering if AVs would even flag an exploit apparently used by “the FBI” or what-have-you, and they are. A lot of reputable vendors too. So, even with it requiring an outdated Firefox to work, if it ever was reused by anyone (exploit kits) it’d be picked up by AVs.

  2. @Chris Hansen: I am thinking that the post a bit above this one was not really you. Confirm?

  3. Well, there’s basically a simple answer to this vulnerability : do not use the Browser Bundle and route your traffic yourself using Tor+Vidalia+Privoxy, and whatever up-to-date browser you can find. I sort of remember the Tor website indicating that while the Browser Bundle is easily set up it’s not perfect in terms of anonymity…

  4. The USDOJ/FBI lied to the Irish Courts. Freedom Hosting houses TorMail and they’ve been after TorMail since WikiLeaks popped up. When Eric Snowden broke big they accelerated their efforts. They couldn’t exercise NDL Patriot Act authority over Freedom Hosting because it’s not in the U.S. So they networked with some of the usual anonymous cowards to upload illegal porn over the course of several years/months – then they networked with civilian organizations briefly (SAIC, Verizon) to locate the Admin in Ireland. They couldn’t get Ireland’s cooperation just to grab TorMail because it would be an obvious privacy issue, but the court in Ireland bought the bit about illegal porn so they arrested Mr. Marques for extradition to the U.S.


#####EOF##### A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security

18
Feb 19

A Deep Dive on the Recent Widespread DNS Hijacking Attacks

The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy.

This post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful cyber espionage campaign back to a cascading series of breaches at key Internet infrastructure providers.

Before we delve into the extensive research that culminated in this post, it’s helpful to review the facts disclosed publicly so far. On Nov. 27, 2018, Cisco’s Talos research division published a write-up outlining the contours of a sophisticated cyber espionage campaign it dubbed “DNSpionage.”

The DNS part of that moniker refers to the global “Domain Name System,” which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.

Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets, so that all email and virtual private networking (VPN) traffic was redirected to an Internet address controlled by the attackers.

Talos reported that these DNS hijacks also paved the way for the attackers to obtain SSL encryption certificates for the targeted domains (e.g. webmail.finance.gov.lb), which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text.

On January 9, 2019, security vendor FireEye released its report, “Global DNS Hijacking Campaign: DNS Record Manipulation at Scale,” which went into far greater technical detail about the “how” of the espionage campaign, but contained few additional details about its victims.

About the same time as the FireEye report, the U.S. Department of Homeland Security issued a rare emergency directive ordering all U.S. federal civilian agencies to secure the login credentials for their Internet domain records. As part of that mandate, DHS published a short list of domain names and Internet addresses that were used in the DNSpionage campaign, although those details did not go beyond what was previously released by either Cisco Talos or FireEye.

That changed on Jan. 25, 2019, when security firm CrowdStrike published a blog post listing virtually every Internet address known to be (ab)used by the espionage campaign to date. The remainder of this story is based on open-source research and interviews conducted by KrebsOnSecurity in an effort to shed more light on the true extent of this extraordinary — and ongoing — attack.

The “indicators of compromise” related to the DNSpionage campaign, as published by CrowdStrike.

PASSIVE DNS

I began my research by taking each of the Internet addresses laid out in the CrowdStrike report and running them through both Farsight Security and SecurityTrails, services that passively collect data about changes to DNS records tied to tens of millions of Web site domains around the world.

Working backwards from each Internet address, I was able to see that in the last few months of 2018 the hackers behind DNSpionage succeeded in compromising key components of DNS infrastructure for more than 50 Middle Eastern companies and government agencies, including targets in Albania, Cyprus, Egypt, Iraq, Jordan, Kuwait, Lebanon, Libya, Saudi Arabia and the United Arab Emirates.

For example, the passive DNS data shows the attackers were able to hijack the DNS records for mail.gov.ae, which handles email for government offices of the United Arab Emirates. Here are just a few other interesting assets successfully compromised in this cyber espionage campaign:

-nsa.gov.iq: the National Security Advisory of Iraq
-webmail.mofa.gov.ae: email for the United Arab Emirates’ Ministry of Foreign Affairs
-shish.gov.al: the State Intelligence Service of Albania
-mail.mfa.gov.eg: mail server for Egypt’s Ministry of Foreign Affairs
-mod.gov.eg: Egyptian Ministry of Defense
-embassy.ly: Embassy of Libya
-owa.e-albania.al: the Outlook Web Access portal for the e-government portal of Albania
-mail.dgca.gov.kw: email server for Kuwait’s Civil Aviation Bureau
-gid.gov.jo: Jordan’s General Intelligence Directorate
-adpvpn.adpolice.gov.ae: VPN service for the Abu Dhabi Police
-mail.asp.gov.al: email for Albanian State Police
-owa.gov.cy: Microsoft Outlook Web Access for Government of Cyprus
-webmail.finance.gov.lb: email for Lebanon Ministry of Finance
-mail.petroleum.gov.eg: Egyptian Ministry of Petroleum
-mail.cyta.com.cy: Cyta telecommunications and Internet provider, Cyprus
-mail.mea.com.lb: email access for Middle East Airlines

The passive DNS data provided by Farsight and SecurityTrails also offered clues about when each of these domains was hijacked. In most cases, the attackers appear to have changed the DNS records for these domains (we’ll get to the “how” in a moment) so that the domains pointed to servers in Europe that they controlled.

Shortly after the DNS records for these TLDs were hijacked — sometimes weeks, sometimes just days or hours — the attackers were able to obtain SSL certificates for those domains from SSL providers Comodo and/or Let’s Encrypt. The preparation for several of these attacks can be seen at crt.sh, which provides a searchable database of all new SSL certificate creations.

Let’s take a closer look at one example. The CrowdStrike report references the Internet address 139.59.134[.]216 (see above), which according to Farsight was home to just seven different domains over the years. Two of those domains only appeared at that Internet address in December 2018, including domains in Lebanon and — curiously — Sweden.

The first domain was “ns0.idm.net.lb,” which is a server for the Lebanese Internet service provider IDM. From early 2014 until December 2018, ns0.idm.net.lb pointed to 194.126.10[.]18, which appropriately enough is an Internet address based in Lebanon. But as we can see in the screenshot from Farsight’s data below, on Dec. 18, 2018, the DNS records for this ISP were changed to point Internet traffic destined for IDM to a hosting provider in Germany (the 139.59.134[.]216 address).

Source: Farsight Security

Notice what else is listed along with IDM’s domain at 139.59.134[.]216, according to Farsight:

The DNS records for the domains sa1.dnsnode.net and fork.sth.dnsnode.net also were changed from their rightful home in Sweden to the German hosting provider controlled by the attackers in December. These domains are owned by Netnod Internet Exchange, a major global DNS provider based in Sweden. Netnod also operates one of the 13 “root” name servers, a critical resource that forms the very foundation of the global DNS system.

We’ll come back to Netnod in a moment. But first let’s look at another Internet address referenced in the CrowdStrike report as part of the infrastructure abused by the DNSpionage hackers: 82.196.11[.]127. This address in The Netherlands also is home to the domain mmfasi[.]com, which Crowdstrike says was one of the attacker’s domains that was used as a DNS server for some of the hijacked infrastructure.

As we can see in the screenshot above, 82.196.11[.]127 was temporarily home to another pair of Netnod DNS servers, as well as the server “ns.anycast.woodynet.net.” That domain is derived from the nickname of Bill Woodcock, who serves as executive director of Packet Clearing House (PCH).

PCH is a nonprofit entity based in northern California that also manages significant amounts of the world’s DNS infrastructure, particularly the DNS for more than 500 top-level domains and a number of the Middle East top-level domains targeted by DNSpionage.

TARGETING THE REGISTRARS

Contacted on Feb. 14 by KrebsOnSecurity, Netnod CEO Lars Michael Jogbäck confirmed that parts of Netnod’s DNS infrastructure were hijacked in late December 2018 and early January 2019 after the attackers gained access to accounts at Netnod’s domain name registrar.

Jogbäck pointed to a statement the company published on its Web site on Feb. 5, which says Netnod learned of its role in the attack on January 2 and has been in contact with all relevant parties and customers throughout this process.

“As a participant in an international security co-operation, Netnod became aware on 2 January 2019 that we had been caught up in this wave and that we had experienced a MITM (man-in-the-middle) attack,” the statement reads. “Netnod was not the ultimate goal of the attack. The goal is considered to have been the capture of login details for Internet services in countries outside of Sweden.”

In an interview with this author on Feb. 15, PCH’s Woodcock acknowledged that portions of his organization’s infrastructure were compromised after the DNSpionage hackers abused unauthorized access to its domain name registrar.

As it happens, the registrar records for both pch.net and dnsnode.net point to the same sources: Key-Systems GmbH, a domain registrar based in Germany; and Frobbit.se, a company in Sweden. Frobbit is a reseller of Key Systems, and the two companies share some of the same online resources.

Woodcock said the hackers phished credentials that PCH’s registrar used to send signaling messages known as the Extensible Provisioning Protocol (EPP). EPP is a little-known interface that serves as a kind of back-end for the global DNS system, allowing domain registrars to notify the regional registries (like Verisign) about changes to domain records, including new domain registrations, modifications, and transfers.

“At the beginning of January, Key-Systems said they believed that their EPP interface had been abused by someone who had stolen valid credentials,” Woodcock said.

Key-Systems declined to comment for this story, beyond saying it does not discuss details of its reseller clients’ businesses.

Netnod’s written statement on the attack referred further inquiries to the company’s security director Patrik Fältström, who also is co-owner of Frobbit.se.

In an email to KrebsOnSecurity, Fältström said unauthorized EPP instructions were sent to various registries by the DNSpionage attackers from both Frobbit and Key Systems.

“The attack was from my perspective clearly an early version of a serious EPP attack,” he wrote. “That is, the goal was to get the right EPP commands sent to the registries. I am extremely nervous personally over extrapolations towards the future. Should registries allow any EPP command to come from the registrars? We will always have some weak registrars, right?”

DNSSEC

One of the more interesting aspects of these attacks is that both Netnod and PCH are vocal proponents and adopters of DNSSEC (a.k.a. “DNS Security Extensions”), which is a technology designed to defeat the very type of attack that the DNSpionage hackers were able to execute.

Image: APNIC

DNSSEC protects applications from using forged or manipulated DNS data, by requiring that all DNS queries for a given domain or set of domains be digitally signed. In DNSSEC, if a name server determines that the address record for a given domain has not been modified in transit, it resolves the domain and lets the user visit the site. If, however, that record has been modified in some way or doesn’t match the domain requested, the name server blocks the user from reaching the fraudulent address.

While DNSSEC can be an effective tool for mitigating attacks such as those launched by DNSpionage, only about 20 percent of the world’s major networks and Web sites have enabled it, according to measurements gathered by APNIC, the regional Internet address registry for the Asia-Pacific region.

Jogbäck said Netnod’s infrastructure suffered three separate attacks from the DNSpionage attackers. The first two occurred in a two-week window between Dec. 14, 2018 and Jan. 2, 2019, and targeted company servers that were not protected by DNSSEC.

However, he said the third attack between Dec. 29 and Jan. 2 targeted Netnod infrastructure that was protected by DNSSEC and serving its own internal email network. Yet, because the attackers already had access to its registrar’s systems, they were able to briefly disable that safeguard — or at least long enough to obtain SSL certificates for two of Netnod’s email servers.

Jogbäck told KrebsOnSecurity that once the attackers had those certificates, they re-enabled DNSSEC for the company’s targeted servers while apparently preparing to launch the second stage of the attack — diverting traffic flowing through its mail servers to machines the attackers controlled. But Jogbäck said that for whatever reason, the attackers neglected to use their unauthorized access to its registrar to disable DNSSEC before later attempting to siphon Internet traffic.

“Luckily for us, they forgot to remove that when they launched their man-in-the-middle attack,” he said. “If they had been more skilled they would have removed DNSSEC on the domain, which they could have done.”

Woodcock says PCH validates DNSSEC on all of its infrastructure, but that not all of the company’s customers — particularly some of the countries in the Middle East targeted by DNSpionage — had configured their systems to fully implement the technology.

Woodcock said PCH’s infrastructure was targeted by DNSpionage attackers in four distinct attacks between December 13, 2018 and January 2, 2019. With each attack, the hackers would turn on their password-slurping tools for roughly one hour, and then switch them off before returning the network to its original state after each run.

The attackers didn’t need to enable their surveillance dragnet longer than an hour each time because most modern smartphones are configured to continuously pull new email for any accounts the user may have set up on his device. Thus, the attackers were able to hoover up a great many email credentials with each brief hijack.

On Jan. 2, 2019 — the same day the DNSpionage hackers went after Netnod’s internal email system — they also targeted PCH directly, obtaining SSL certificates from Comodo for two PCH domains that handle internal email for the company.

Woodcock said PCH’s reliance on DNSSEC almost completely blocked that attack, but that it managed to snare email credentials for two employees who were traveling at the time. Those employees’ mobile devices were downloading company email via hotel wireless networks that — as a prerequisite for using the wireless service — forced their devices to use the hotel’s DNS servers, not PCH’s DNNSEC-enabled systems.

“The two people who did get popped, both were traveling and were on their iPhones, and they had to traverse through captive portals during the hijack period,” Woodcock said. “They had to switch off our name servers to use the captive portal, and during that time the mail clients on their phones checked for new email. Aside from that, DNSSEC saved us from being really, thoroughly owned.”

Because PCH had protected its domains with DNSSEC, the practical effect of the hijack against its mail infrastructure was that for roughly an hour nobody but the two remote employees received any email.

“For essentially all of our users, what it looked like was the mail server just wasn’t available for a short period,” Woodcock said. “It didn’t resolve for a while if they happened to be checking their phone or whatever, and each person thought well that’s funny, I’ll check it back in a while. And by the time they checked again it was working fine. A bunch of our staff noticed a brief outage in our email service, but nobody thought enough of it to discuss it with anyone else or open a ticket.”

But the DNSpionage hackers were not deterred. In a letter to its customers sent earlier this month, PCH said a forensic investigation determined that on Jan. 24 a computer which holds its Web site user database had been compromised. The user data stored in the database included customer usernames, bcrypt password hashes, emails, addresses, and organization names.

“We see no evidence that the attackers accessed the user database or exfiltrated it,” the message reads. “So we are providing you this information as a matter of transparency and precaution, rather than because we believe that your data was compromised.”

IMPROVEMENTS

Multiple experts interviewed for this story said one persistent problem with DNS-based attacks is that a great deal of organizations tend to take much of their DNS infrastructure for granted. For example, many entities don’t even log their DNS traffic, nor do they keep a close eye on any changes made to their domain records.

Even for those companies making an effort to monitor their DNS infrastructure for suspicious changes, some monitoring services only take snapshots of DNS records passively, or else only do so actively on a once-daily basis. Indeed, Woodcock said PCH relied on no fewer than three monitoring systems, and that none of them alerted his organization to the various one-hour hijacks that hit PCH’s DNS systems.

“We had three different commercial DNS monitoring services, none of which caught it,” he said. “None of them even warned us that it had happened after the fact.”

Woodcock said PCH has since set up a system to poll its own DNS infrastructure multiple times each hour, and to alert immediately on any changes.

Jogbäck said Netnod also has beefed up its monitoring, as well as redoubled efforts to ensure that all of the available options for securing their domain infrastructure were being used. For instance, the company had not previously secured all of its domains with a “domain lock,” a service that requires a registrar to take additional authentication steps before making any modifications to a domain’s records.

“We are really sad we didn’t do a better job of protecting our customers, but we are also a victim in the chain of the attack,” Jogbäck said. “You can change to a better lock after you’ve been robbed, and hopefully make it more difficult for someone to do it again. But I can truly say we have learned a tremendous amount from being a victim in this attack, and we are now much better off than before.”

Woodcock said he’s worried that Internet policymakers and other infrastructure providers aren’t taking threats to the global DNS seriously or urgently enough, and he’s confident the DNSpionage hackers will have plenty of other victims to target and exploit in the months and years ahead.

“All of this is a running battle,” he said. “The Iranians are not just trying to do these attacks to have an immediate effect. They’re trying to get into the Internet infrastructure deeply enough so they can get away with this stuff whenever they want to. They’re looking to get as many ways in as possible that they can use for specific goals in the future.”

RECOMMENDATIONS

John Crain is chief security, stability and resiliency officer at ICANN, the non-profit entity that oversees the global domain name industry. Crain said many of the best practices that can make it more difficult for attackers to hijack a target’s domains or DNS infrastructure have been known for more than a decade.

“A lot of this comes down to data hygiene,” Crain said. “Large organizations down to mom-and-pop entities are not paying attention to some very basic security practices, like multi-factor authentication. These days, if you have a sub-optimal security stance, you’re going to get owned. That’s the reality today. We’re seeing much more sophisticated adversaries now taking actions on the Internet, and if you’re not doing the basic stuff they’re going to hit you.”

Some of those best practices for organizations include:

-Use DNSSEC (both signing zones and validating responses)

-Use registration features like Registry Lock that can help protect domain names records from being changed

-Use access control lists for applications, Internet traffic and monitoring

-Use 2-factor authentication, and require it to be used by all relevant users and subcontractors

-In cases where passwords are used, pick unique passwords and consider password managers

-Review accounts with registrars and other providers

-Monitor certificates by monitoring, for example, Certificate Transparency Logs

Tags: , , , , , , , , , , , , , , , , , , , , , , ,

85 comments

  1. Awesome as always. Thanks Brian. Just out of curiosity, how would you relate DNSSEC and the attacks you lay out here, to DNS cache poisoning, as described at GRC.com, and Steve Gibson’s “DNS Spoof” testing tool?
    https://www.grc.com/dns/dns.htm

    • DNS cache poisoning most often happens at the more local level, i.e. at the user’s machine or router. The attacks profiled in this story involve compromising DNS settings at a far higher level, one that goes well beyond the control of the end user.

  2. “The Iranians are not just trying to do these attacks to have an immediate effect”.

    I have looked through the article, but I cannot find any evidence that points to “Iranians” as the perpetrators.

    Is there any, or is this just more political character assassination?

    • Check out the CrowdStrike blog post linked in the story. I did not print a lot of the information I have, mainly because the story was already very long, and in any case this is likely not the last one I will write on the topic. But also, I tried not to give away too many details that would help the attackers in the future to improve their attacks. That said, it was clear from my interviews with many people not named in this story that there are multiple clues pointing to a fairly significant effort by some specific threat actors.

      • Careful with CrowdStrike, they are just a private wing of the FBI… look at all the connections to the FBI, it is scary.

        Look at how they handled the DNC hack and didn’t stop it for what 19 days or something insane but yet only took what 2 hours to identify “the Bears”.. scary.

        CrowdStrike will be exposed one of these days….

        • Please no conspiracy theories and other nonsense. Someone needs to lay off the AM radio and Maga hats.

          • “Please no conspiracy theories and other nonsense.” Seems as though you need to heed your own advice. No need to throw MAGA hats into this.

          • No MAGA hat here (don’t/won’t own one) and no conspiracy just facts from CrowdStrike own reports… but hey if you want to act like a fool be my guest 🙂

          • Also educate yourself on who works at CrowdStrike… Most C-levels are ex-FBI and also look at the co-founders backgrounds… not exactly clean.

          • One simple example for you that is straight facts that cannot be argued with.

            Steven Chabinsky is “General Counsel and Chief Risk Officer” for the cybersecurity technology firm CrowdStrike. Chabinsky spent 15 years working for the FBI prior to working at
            CrowdStrike. Chabinsky joined the FBI in 1995 as an attorney in the Office of the General Counsel
            where he initially focused on employment law and personnel litigation. In 1998, Chabinsky was
            selected as the Principal Legal Advisor to the multi-agency National Infrastructure Protection
            Center (NIPC) and became Senior Counsel to the FBI’s Cyber Division upon its creation in 2002.

            While at the FBI, Chabinsky was:
            – Deputy assistant director of the FBI’s Cyber division

            -Focused on protecting the United States from cyber-attack, cyber
            espionage, online child exploitation, and Internet fraud.
            -Homeland Security Act of 2002
            -National Strategy to Secure Cyberspace of 2003
            -National Strategy to Secure Cyberspace of 2008
            -National Security Presidential Directive 54

            – Between 2007 and 2009, Chabinsky served in the Office of the Director of National
            Intelligence (ODNI) in various capacities, including Acting Assistant Deputy Director of
            National Intelligence for Cyber, Chairman of the National Cyber Study Group, and Director
            of the Joint Interagency Cyber Task Force.

            -April 13, 2016 Chabinsky was presidentially appointed to the White House Commission
            on Enhancing National Cybersecurity. (Executive order 13718) The Commission provided
            recommendations to the President to strengthen cybersecurity in the public and private
            sectors, while protecting privacy, fostering innovation and ensuring economic and national
            security.

            (source https://obamawhitehouse.archives.gov/the-press-office/2016/04/13/president-obama-announces-more-key-administration-posts)

            • Lets be clear, there are “conspiracies”, where people with power gather. The idea there “arent any” is just weird.

              Being picky about who you buy your stuff and your data from is a duty you have in the modern world.

      • Crowdstrike? And they conclude it’s the main US target for regime change in that region of the world? After their handling of the DNC servers I don’t trust them any further than I can throw them. They are like the CIA, you have to assume they are lying unless they have hard facts to back it up.

        Not that I would put it past Iran to do something like this but there is another country that should be on there..but it’s not

    • “I have looked through the article, but I cannot find any evidence that points to “Iranians” as the perpetrators.

      Is there any, or is this just more political character assassination?”

      LOL; do you honestly think Brian is committing political character assassination? Unless you don’t work in the security space, your comment is laughable. The Chinese, Iranians and Russians are always at it Ahmed, I mean, Tom Welsh.

  3. Excellent research Brian. I hope the 20% that uses DNSSec is all in the USA. As a Cyber Security Analyst, there is a reason for any anomaly. If your mail exchange is broken for an hour, investigate it. We all need to do more than protect our systems. We need to verify where our data is going out to also.

  4. The Sunshine State

    I know with my my domain name, I use 2FA to access the website interface, along with DNSSEC and Registry Lock is enabled

  5. “However, he said the third attack between Dec. 29 and Jan. 2 targeted Netnod infrastructure that was protected by DNSSEC and serving its own internal email network. Yet, because the attackers already had access to its registrar’s systems, they were able to briefly disable that safeguard “.

    That doesn’t make sense. It should not be possible to disable DNSSEC by turning off DNSSEC on the server zone. For DNSSEC to provide any value, it requires configuration for both DNS servers and enforcement on client computers. On Windows, client enforcement is performed using the Name Resolution Policy Table (NRPT). If DNSSEC is not enforced on the client, it doesn’t really provide any value. If DNSSEC is enforced on the client, disabling DNSSEC for the zone(s) on a DNS server would cause a name resolution failure on the client. If any of the victim organizations had DNSSEC-enabled domains but did not enforce DNSSEC on their client computers they shot themselves in the foot.

    • All it takes to kill DNSSEC is to get rid of the DS record. I’ve had to walk many a company through why their brand new DNSSEC configuration didn’t really work and it was almost always because they had no corresponding DS record. People just don’t do their homework anymore: “But we signed the zone!”

      • Cached DS records for the parent would likely be in resolvers for a while, and thus would cause DNSSEC failures for clients that were validating. In particular, if CAs issuing DV certs were doing DNSSEC validation as recommended in the ACME spec, they should have (a) not issued the CERTS and (b) raised alarms during this period.

        The mechanisms are there to prevent these types of attacks, but you have to use them.

        https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-11.2

  6. “Why CISA issued our first Emergency Directive”
    By Christopher Krebs, Director

    Any relation?

  7. Iran & Russia seems to be getting prepare for cyber warfare.
    Hope our government (Home Land Security, FBI, CIA) will protect our nation from this. I really wish & pray that President Trump would asked Brian Krebs to be the head of our government cyber terrorist Department!

    • “Hope our government (Home Land Security, FBI, CIA) will protect our nation from this.”

      You hope in vain. We’re on our own.

      The problem is, nobody wants the FBI or DHS coming in and instructing them how to pick good passwords or how not to get phished. They can offer help, but they don’t have the legal authority to force anybody in the private sector to not be idiots. And none of us would want them to have that anyway.

      So everyone is responsible for locking up their own bicycles. That’s just the way it is, and the way it will be.

    • Talos: “The attackers redirected the hostnames to the IP 185.20.187[.]8 for a short time.” Nov. 6. Sept. 13, etc.

      C2 (Command and control) Server, along with two other IPs (all on same Netherlands network).

  8. It amazes me that we could fail to practice data hygiene that was recommended years ago! I mean, DNSSEC is pretty old. Registry Lock has been available for some time as well.
    Multi-factor Authentication is a pretty new trend but it’s a key part to the cyber kill chain.

    Hope we learn from this.

    • Registry Lock is actually not that well known and people confuse it with the transfer lock. Add in the fact that it costs money and you have your answer.

  9. What do the brackets [ ] around the dot of the last octet of an IP address mean?

    • They are designed to prevent web crawlers from crawling into those (criminal) servers. And to prevent mobile web browsers from turning them into links, which could end up tricking innocent readers into visiting the sites.

    • The [.] is intended to ensure that the link doesn’t become clickable. Therefore it is a protection mechanism for the readers of this site (among other things)

    • Probably to keep the IP address from displaying as a link in most browsers. A mosfeature that may be a problem when discussing malicious sites as Brian does.

      And thanks for another great article, Brian!

      • Thanks. Yes, as others have said, the brackets effectively prevent any site, browser or email clients from making these addresses into a clickable link.

  10. I would add to the list of practices to get certificates that contain proof of identity, not just a domain.

    A certificate that says “this is example.com” is meaningless in the face of a DNS hijack.

    One that says “Example Corporation, 1234 Fake Street, Santa Clara, CA” and comes from an authority that requires proof of identity documents is going to be more secure. Especially if users are used to seeing the full name in the location bar and it suddenly changes to just “example.com” at some point.

    • Good idea!

      Too bad you can’t set “levels” of certificate checking in any client software. It would be nice to only allow certs for a list of root domain names to be Organization Validated (OV) or Extended Validated (EV).

      Some browser add-on software allows cert pinning, but that gets annoying quickly with many legitimate certs that often rotate.

      Better would be to say “only allow OV and above for this domain”.

  11. No indicator of how end users protect themselves. I just did a repave after watching DNS issues for quite some time. For once I did not use my DNS rotator script – I have a script that picks a random dns server at random intervals. Brutal but seems to prevent obvious dns malfeasance. Bit fed up with all of this, the internet is deliberately kept borken IMHO. Iran should have sanctions imposed, such as removing all Iranian students/professors from Universities until they learn to be good citizens. Same with Chinese etc… LOL look at any ‘sensitive’ workplace and the names of the shakers and movers, all vetted perfect too… State sponsored stooges and spies in all the most sensitive of places, while domestic students of equal or better ability have to struggle with debt and loan, if they can find a place at all! stupidity of the highest order!

    • It is somewhat more complicated for end-users. You can set your DNS settings to something like Google’s DNS — 8.8.8.8 and 4.4.2.2 — which should enforce DNNSEC when the domain signs it as such. But things can get trickier when you are not on your own network, and your mobile data provider’s DNS settings kick in. I’m not sure there is a way for end users to control what DNS settings get used in that case.

      • >>I’m not sure there is a way for end users to control what DNS settings get used in that case.

        1.1.1.1 offers their Android app that may address that question to a degree. Wouldn’t VPNs (in particular those that permit the user to use a DNS server of their choice) put the question to bed, concerning the use of insecure (e.g., hotel) public networks?

        • Actually, no. Say you are at Hilton, and their system has been hacked. To access the web, you have to sign in to Hilton, a cookie is processed on your device. Is that Hilton’s cookie or the bad actors modified cookie? That cookie modifies your system to be part of their system. What did they modified in your system?
          Good article, I liked it. Did not like the identification of the host, but, everyone points back to lack of security protocals for visiting outside of your area. Especially tethering of phone to mobile phone services. More secure then place you are staying systems. But there are bad actors in phone systems also.

      • “…when you are not on your own network, and your mobile data provider’s DNS settings kick in. I’m not sure there is a way for end users to control what DNS settings get used in that case.”

        Changing to another network provider is an option, if the user influences the paying of the network provider like is the case for network provider service to a personal device. Which may entail changing to another device though i.e. Verizon, AT&T, Sprint, T-Mobile, etc.

      • I keep mobile data turned off. Simplest solution.

        SMS and calling work without mobile data, out on the road. Everything else can wait until my device is on a trusted wifi network, configured to use a DNS filtering service.

        It has the side effect of making my phone bill cheap and my life less stressful.

      • DNS over HTTPS/TLS [1] can help some portion of things.

        Getting mail clients to not eagerly connect to links while they’re only partially established is a real problem. It was a problem a decade ago. Probably the easiest solution is to not use email clients (i.e. use a browser).

        The other half of the solution is to rely on a major vendor for email (i.e. Google [Gmail]/MS [Office365]). By relying on a major vendor to host your mail on their normal domains you’re putting your eggs into a basket that has better scrutiny than your average bear. When someone hijacks google.com or gmail.com, people around the world will notice. When someone hijacks your-localized-domain-that-only-5-people-use.com, most people won’t notice or care. Also, both vendors have 2FA and other best practices and support enforcing them.

        [1] https://developers.google.com/speed/public-dns/docs/dns-over-tls

      • “I’m not sure there is a way for end users to control what DNS settings get used in that case.”

        Of course there is. They just make it obscure and complicated to diddle that so as to keep ordinary stupid end-lusers from hurting themselves.

        If you know what you are doing, you can usually accomplish just about anything.

    • I hear where you’re coming from. I’ve worked as a consultant in several places that were dominated by Visa immigrants from Asia. They’ve kind of done to the white collar (IT anyways) what the Latinos have done to the blue collar workers. I have nothing against them personally, but it irks me that employers are cutting corners this way and American citizens are either unemployed or have to take huge cuts in wages to land a job.
      On the DNS issue, I manually set my Android DNS settings to something more secure on my home and other known networks, but on a public network, there is no way to do that (perhaps a 3rd party app?).

    • I’m an German/Irish-American and my wife is Iranian, her parents were born in Iran, she was born actually in another country and moved here as an infant, and they are all legal citizens. She is an art teacher and is really bad at technology, and had nothing to do with this Her family is very nice and they all love this country, having lived here for over 30 years. Sanctioning them or other Iranians living and working in the Untied States would be similar to what we did with the Japanese internment during WW2.

      I urge people to remember to separate the people in power of a government ordering such attacks, and those that live under that rule, especially in an oppressed society.

      Reverse example:

      The United States (Government, i.e. the military, or the CIA) carries out a cyber attack on another country, let’s say Russia. In Russia, they frame this as “The U.S. (as a whole) have attacked us, and any and all American citizens are a part of this.” Any Americans living in Russia are fired, kicked out of universities, deported, or even possibly jailed and their property seized.

      Would that be fair the 30,000 Americans that live in Russia, even though they had nothing to do with the attack, just to send a message to the government of the place where they are citizens?

      • Sure, but when people are looking for pretexts for future actions, those niceties and distinctions go by the wayside. So, instead of the nuanced and reasonable “suspected Iranian government-backed hackers”, you get the more direct and visceral “Iranians”. Bolton and company are very grateful as they plot their assault on Iran.

  12. Defending DNS is of course important and good. However to the point of users protecting themselves, this is fundamentally a question of: am I connected to the server where I established my account?
    We can use Yubikey or equivalent for the server to authenticate the user. *BUT WE NEED* a reverse Yubikey, where my key also confirms the server is the one where I established my account.

    I believe the technology of a Yubikey is applicable here. But the user experience is AWOL!! I want to plug in my key and ask the key+browser to confirm: based on encrypted exchange, the server I are communicating with is indeed in possession of the encryption key I previously established there.

    Please!!!

  13. More organizations should deploy DNSSEC but most don’t understand how it works and why it is valuable.

  14. Maybe this will help the education issue:

    Secure Domain Name System (DNS) Deployment Guide
    https://csrc.nist.gov/publications/detail/sp/800-81/2/final

  15. Very interesting post!

    I mean some of the people working at Netnod are extremely skilled and experienced in the infrastructure of the Internet but they still got hacked.

    On a sadder note; I believe that the registrars are the weakest link. Many of them still don’t even support MFA!

  16. Why isn’t CAA records listed as a recommendation? If PCH and Netnod had DNS CAA records set, to say Digicert, then the attacker would not have been able to issue a certificate from Let’s Encrypt.

    • CAA fields are a good idea, but once someone controls your DNS, they can replace the CAA, so unless you’ve managed to get your CAA field cached *everywhere* for a *long* time, you’re still in trouble.

  17. Crazy, especially if this is the sign of things to come.

    Having EPP credentials alone, would not suffice. They also would have to have the certificate a registrar uses to send messages and would need to be sending the messages from the proper IP addresses.

  18. Aside from 2FA, did any of the affected have a privileged account management solution in place? It seems like modifying root DNS records ought to require more approval than a username and password and ought to be strictly audited and reviewed.

    • That’s exactly where I’m at! Some very big DNS providers (dinosaurs of the industry) don’t even offer 2 factor. How is that possible!?! If there’s something that should absolutely have 2-factor in front of it, this is one of them. No MFA, no 3rd party authentication hooks to get MFA from an ID provider, no logs provided except for on demand and no alerting when things change. Having to write a script to go do digging and look for a diff in results from last time is a good option outside of DNS sec to notice. You would think at this point, these guys would provide MFA, even turn it on by default but they won’t. Sad state of affairs.

  19. Hey Brian, thanks for shedding light on this!

    Question, http://www.cnss.gov has been down for several weeks.

    Would you happen to have any info on that? I cannot find info anywhere discussing this site being down. Honestly, I’m pretty sure it went down during the shutdown, or right after it ended….which is suspect.

  20. Glad to see this get some of the substantive even handed coverage it deserves. It was kind of weird that this was all out there in passive DNS and cert transparancy log but there was no public debate yet which if we didn`t have it would be a real missed opportunity.

    > I Am extremely nervous personally over extrapolations towards the future

    Yeah, but is the operator of one of the 13 root servers nervous enough? Sure middle eastern governments and the US government are gonna be spied on, people get killed based on that information and geopolitical balances shift based on this.. bad.. but you know, spies gonna spy.

    But the “Shamoon 1” “Shamoon 2” and “Shamoon 3” actor suspected of ties to Iran has been busy not just spying but sabotaging the oil sector left and right, with no regard for western collateral damage.

    I am not saying netnod was pwned more than they transparently explained in their press release… but lets ask ,hypothetically, are we okay with the idea of Iran having silently pwned a root server? What if some Israeli/US politician wants to distract from some domestic stuff with some random symbolic bombing because “backwards Iranians cant retaliate anyway”?

    What if one in 13 root server networks suddenly starts giving bogus answers that get cached for hours? Sure its one worst case scenario, but with more and more stuff casually moving on-line, if-only as VPNs that connect to names not IP`s, how bad are we talking about?

    Two more good tips:
    The google story, is a nice long TL;DR description of a great initiative… but here is the nickle summary, if you are responsible for any domain more serious than nyan.cat pop a RSS/atom link like this

    https://crt.sh/atom?q=krebsonsecurity.com

    in your your outlook, or phone or browser or SOC software security update feedreader. Probably nothing will happen for years, but maybe one day you get a message on a certificate you didn’t request yourself.

    And don’t just follow the excellent tips yourself, if you run into someone who runs something critical give them a little audit before your next face-to-face meeting and bring it up, friends don’t let friends miss out on DNSSEC.

    Up next, a quick fix for BGP, should be easy enough right?

    http://www.saipem.com/sites/SAIPEM_en_IT/con-side-dx/Press%20releases/2018/Cyber%20attack%20update.page

    https://www.energyvoice.com/oilandgas/188750/petrofac-confirms-system-security-breach/

  21. Are there recommended registrars and DNS providers that have all the features and a good track record on security?

    • I don’t have an answer for this.

      Cloudfare was going to become a registrar, they come w/ some strict caveats, but they might not be terrible.

      I’ve been looking into Gandi, they at least support 2FA.

      I’d be interested in hearing answers to this question.

  22. Nice Article and the research about Hijacking Attack is commendable.Recently I came acrossPc security internet security which provides internet security to your Pc and computers.

    • Thanks, spammer.
      I went to your website and downloaded the setup.exe file.
      VirusTotal would not let me upload it because it is too big.
      So, why is it so large ?

    • Everyone needs to take a look at this website for some serious comedic relief.

    • Brian Fiori (AKA The Dean)

      Holy crap! Even their website isn’t secure. No HTTPS.

    • Hey, thanks for the heads up! It’s paramount that when we come across internet security, we tell internet security people of the internet security we came across so we can promote internet security.

      So, will this “softwares” get rid of “wirus” on my PC? Also, does PC Secure operate from a “secure Microsoft server” like you spammers love to mention?

  23. Fascinating article & great work as always!

    One thing I didn’t see called out specifically was a name in the middle of a chart: nl.tunnelbear-ios.com. Was that IP actually part of /used by the tunnelbear VPN provider at some point? That could be another attack vector of interest…

  24. i have some questions to all readers (posted the same question on schneier blog right now):

    1-how can i find out if my dns has dns-sec enabled/is supported?
    now, supposing that i’m using a dns-sec enabled server
    2-the client side (windows) must support dns-sec to be used right, so does windows support dnssec?
    3-it’s something system-wide so that if windows supports this it’s “extended” to all the apps or every app must support it? if it must be app-level, firefox and thunderbird support it? (without plugins)
    4-is it secure that just works like tls certificates that can’t be abused or it’s a bad solution? (i know that tls certs can be abused too but misinsurance can be mitigated, noticed and it’s rare; private key theft it’s not a tls problem; and if someone steal your domain and gets a legit cert it’s again not a tls/ca infrastructure problem it’s outside scope; if you click ignore on the warning “someone is intercepting the connection” it’s your fault)
    5-i know that in tls if someone mess with the connection i will see a warning, they can’t intercept my data without my consent, the “best” attack they can do is dos (because warning or dropping traffic on port 443). what about dns-sec? what it aim to prevent? mitm?
    6-what is the scope of dns-sec? tls is data integrity, autenticity and secrecy

    tl;dr: i’d like to know more about dns-sec because to me looks like something obscure and i can’t find easy explained informations on the internet

    thanks a lot for any answer

    • 3. in general apps get the system resolver unless they choose to work around it. Firefox is the kind of thing that is likely to work around the system resolver.

      There are plugins [1] for firefox

      4. If the registrar is hacked or the credentials for the registrar are hacked or if the canonical DNS provider is hacked, DNSSEC won’t help much. It isn’t a terrible solution, but it isn’t a silver bullet.
      5. Afaiu DNSSEC is more or less form of MITM protection. It ensures that the DNS data your client is receiving matches data that the official DNS server (according to the registrar) authored. And yes, DNSSEC like most things can result in DoS if you configure your system to fail-secure.
      6. DNSSEC afaiu is integrity and authenticity, but not secrecy [2]. In fact, by nature, it leaks some information about the shape of your DNS records.

      For secrecy, you should look at DNS over TLS or DNS over HTTPS.

      [1] https://addons.mozilla.org/en-US/firefox/addon/dnssec/
      [2] https://www.cloudflare.com/dns/dnssec/dnssec-complexities-and-considerations/

      • Thanks for your answer. But, if the end users DNS resolver doesn’t validates DNSSEC signatures how can DNSSEC help to make sure that users are connecting to the good ip address? Also, is the dnssec the only way for website owners / sys admins to mitigate that attack?
        Thanks.

        • thanks to everyone for the answers.
          i’m interested in this.
          i guess that even if i set in windows 1.1.1.1 as dns windows doesn’t validate dnssec, i think i’ll have to configure dns over tls/https (tls should be better because has fewer layers/overhead) using a program and set system resolver as 127.0.0.1 in this way everything should be fine and mitm should not be possible

  25. Every so often, somebody will email me and ask me to send them my PGP key. I don’t, because I don’t have one.

    I don’t have one because I think of the notions of “email” and “security” as being fundamentally unrelated and totally orthogonal to one another. And this whole story from Brian just kind of reconfirms that belief for me. If I have something (anything) which is seriously confidential and that I either need to tell or hear, I’ll do it via voice over my landline, thank you very much. I mean how many million times do we need to read in the press about somebody having their emails copied illicitly before people wise up and realize that there are about eight gazillion potential ways that somebody can hack and get hold of your emails and that it is only when literally EVERYTHING is locked down as tight as a drum that you have even a prayer in hell of having your emails remain confidential?

    • PGP’s about as good as it gets. If you adequately protect your secret key. And if your correspondents are equally careful about ensuring that the public key they have really belongs to you.

      Yeah … we’re all screwed.

  26. Daniel Karrenberg

    s/regional registries/TLD registries/

  27. Hi Brian,

    I’ve been re-reading your article. What I fail to understand is the motivation to modify A records for name servers of NETNOD and PCH. I understand the modus operandi, but most domain names you refer to, do not use NETNOD nor PCH. So why changing those name servers?

    • “…the global “Domain Name System,” which serves as a kind of phone book for the Internet”. I emphisis “global phone book”.

      It’s not only name servers that were affected.


#####EOF##### Data Breaches — Krebs on Security

Data Breaches


29
Mar 19

A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach

On Feb. 21, 2019, KrebsOnSecurity contacted Italian restaurant chain Buca di Beppo after discovering strong evidence that two million credit and debit card numbers belonging to the company’s customers were being sold in the cybercrime underground. Today, Buca’s parent firm announced it had remediated a 10-month breach of its payment systems at dozens of restaurants, including some locations of its other brands such as Earl of Sandwich and Planet Hollywood.

Some 2.1 million+ credit and debit card accounts stolen from dozens of Earl Enterprises restaurant locations went up for sale on a popular carding forum on Feb. 20, 2019.

In a statement posted to its Web site today, Orlando, Fla. based hospitality firm Earl Enterprises said a data breach involving malware installed on its point-of-sale systems allowed cyber thieves to steal card details from customers between May 23, 2018 and March 18, 2019.

Earl Enterprises did not respond to requests for specifics about how many customers total may have been impacted by the 10-month breach. The company’s statement directs concerned customers to an online tool that allows one to look up breached locations by city and state.

According to an analysis of that page, it appears the breach impacts virtually all 67 Buca di Beppo locations in the United States; a handful out of the total 31 Earl of Sandwich locations; and Planet Hollywood locations in Las Vegas, New York City and Orlando. Also impacted were Tequila Taqueria in Las Vegas; Chicken Guy! in Disney Springs, Fla.; and Mixology in Los Angeles.

KrebsOnsecurity contacted the executive team at Buca di Beppo in late February after determining most of this restaurant’s locations were likely involved a data breach that first surfaced on Joker’s Stash, an underground shop that sells huge new batches of freshly-stolen credit and debit cards on a regular basis. Continue reading →


13
Mar 19

Ad Network Sizmek Probes Account Breach

Online advertising firm Sizmek Inc. [NASDAQ: SZMK] says it is investigating a security incident in which a hacker was reselling access to a user account with the ability to modify ads and analytics for a number of big-name advertisers.

In a recent posting to a Russian-language cybercrime forum, an individual who’s been known to sell access to hacked online accounts kicked off an auction for “the admin panel of a big American ad platform.”

“You can add new users to the ad system, edit existing ones and ad offers,” the seller wrote. The starting bid was $800.

The seller included several screen shots of the ad company’s user panel. A few minutes on LinkedIn showed that many of these people are current or former employees of Sizmek.

The seller also shared a screenshot of the ad network’s Alexa site rankings:

A screenshot of the Alexa ranking for the “big American ad network,” access to which was sold on a cybercrime forum.

I checked Sizmek’s Alexa page and at the time it almost mirrored the statistics shown in the screenshot above. Sizmek’s own marketing boilerplate says the company operates its ad platform in more than 70 countries, connecting more than 20,000 advertisers and 3,600 agencies to audiences around the world. The company is listed by market analysis firm Datanyze.com as the world third-largest ad server network.

After reaching out to a number of folks at Sizmek, I heard back from George Pappachen, the company’s general counsel.

Pappachen said the account being resold on the dark web is a regular user account (not a all-powerful administrator account, despite the seller’s claim) for its Sizmek Advertising Suite (SAS). Pappachen described Sizmek’s SAS product line as “a sizable and important one” for the company and a relatively new platform that has hundreds of users.

He acknowledged that the purloined account had the ability to add or modify the advertising creatives that get run on customer ad campaigns. And Sizmek is used in ad campaigns for some of the biggest brands out there. Some of the companies shown in the screenshot of the panel shared by the dark web seller include PR firm Fleishman-Hillard, media giants Fox Broadcasting, Gannett, and Hearst Digital, as well as Kohler, and Pandora.

A screenshot shared by the dark web seller. Portions of this panel — access to a Sizmek user account — was likely translated by the Chrome Web browser, which has a built-in page translate function. As seen here, that function tends to translate items in the frame of the panel, but it leaves untouched the data inside those frames.

Crooks who exploited this access could hijack existing ad campaigns running on some of the world’s top online properties, by inserting malicious scripts into the HTML code of ads that run on popular sites. Or they could hijack referral commissions destined for others and otherwise siphon ad profits from the system.

“Or someone who is looking to sabotage our systems in a bigger way or allow malicious code to enter our systems,” Pappachen offered.

Pappachen said Sizmek forced a password reset on all internal employees (“a few hundred”), and that the company is scrubbing its SAS user database for departed employees, partners and vendors whose accounts may have been hijacked.

“We’re now doing some level of screening to see if there’s been any kind of intrusion we can detect,” Pappachen said. “It seemed like [the screenshots were accounts from] past employees. I think there were even a couple of vendors that had access to the system previously.” Continue reading →


4
Mar 19

Hackers Sell Access to Bait-and-Switch Empire

Cybercriminals are auctioning off access to customer information stolen from an online data broker behind a dizzying array of bait-and-switch Web sites that sell access to a vast range of data on U.S. consumers, including DMV and arrest records, genealogy reports, phone number lookups and people searches. In an ironic twist, the marketing empire that owns the hacked online properties appears to be run by a Canadian man who’s been sued for fraud by the U.S. Federal Trade Commission, Microsoft and Oprah Winfrey, to name a few.

Earlier this week, a cybercriminal on a Dark Web forum posted an auction notice for access to a Web-based administrative panel for an unidentified “US Search center” that he claimed holds some four million customer records, including names, email addresses, passwords and phone numbers. The starting bid price for that auction was $800.

Several screen shots shared by the seller suggested the customers in question had all purchased subscriptions to a variety of sites that aggregate and sell public records, such as dmv.us.org, carhistory.us.org, police.us.org, and criminalrecords.us.org.

A (redacted) screen shot shared by the apparent hacker who was selling access to usernames and passwords for customers of multiple data-search Web sites.

A few hours of online sleuthing showed that these sites and dozens of others with similar names all at one time shared several toll-free phone numbers for customer support. The results returned by searching on those numbers suggests a singular reason this network of data-search Web sites changed their support numbers so frequently: They quickly became associated with online reports of fraud by angry customers.

That’s because countless people who were enticed to pay for reports generated by these services later complained that although the sites advertised access for just $1, they were soon hit with a series of much larger charges on their credit cards.

Using historic Web site registration records obtained from Domaintools.com (a former advertiser on this site), KrebsOnSecurity discovered that all of the sites linked back to two related companies — Las Vegas, Nev.-based Penguin Marketing, and Terra Marketing Group out of Alberta, Canada.

Both of these entities are owned by Jesse Willms, a man The Atlantic magazine described in an unflattering January 2014 profile as “The Dark Lord of the Internet” [not to be confused with The Dark Overlord].

Jesse Willms’ Linkedin profile.

The Atlantic pointed to a sprawling lawsuit filed by the Federal Trade Commission, which alleged that between 2007 and 2011, Willms defrauded consumers of some $467 million by enticing them to sign up for “risk free” product trials and then billing their cards recurring fees for a litany of automatically enrolled services they hadn’t noticed in the fine print.

“In just a few months, Willms’ companies could charge a consumer hundreds of dollars like this, and making the flurry of debits stop was such a convoluted process for those ensnared by one of his schemes that some customers just canceled their credit cards and opened new ones,” wrote The Atlantic’s Taylor Clark.

Willms’ various previous ventures reportedly extended far beyond selling access to public records. In fact, it’s likely everyone reading this story has at one time encountered an ad for one of his dodgy, bait-and-switch business schemes, The Atlantic noted:

“If you’ve used the Internet at all in the past six years, your cursor has probably lingered over ads for Willms’s Web sites more times than you’d suspect. His pitches generally fit in nicely with what have become the classics of the dubious-ad genre: tropes like photos of comely newscasters alongside fake headlines such as “Shocking Diet Secrets Exposed!”; too-good-to-be-true stories of a “local mom” who “earns $629/day working from home”; clusters of text links for miracle teeth whiteners and “loopholes” entitling you to government grants; and most notorious of all, eye-grabbing animations of disappearing “belly fat” coupled with a tagline promising the same results if you follow “1 weird old trick.” (A clue: the “trick” involves typing in 16 digits and an expiration date.)”

In a separate lawsuit, Microsoft accused Willms’ businesses of trafficking in massive quantities of counterfeit copies of its software. Oprah Winfrey also sued a Willms-affiliated site (oprahsdietscecrets.com) for linking her to products and services she claimed she had never endorsed.

KrebsOnSecurity reached out to multiple customers whose name, email address and cleartext passwords were exposed in the screenshot shared by the Dark Web auctioneer who apparently hacked Willms’ Web sites. All three of those who responded shared roughly the same experience: They said they’d ordered reports for specific criminal background checks from the sites on the promise of a $1 risk-free fee, never found what they were looking for, and were subsequently hit by the same merchant for credit card charges ranging from $20 to $38. Continue reading →


23
Feb 19

Payroll Provider Gives Extortionists a Payday

Payroll software provider Apex Human Capital Management suffered a ransomware attack this week that severed payroll management services for hundreds of the company’s customers for nearly three days. Faced with the threat of an extended outage, Apex chose to pay the ransom demand and begin the process of restoring service to customers.

Roswell, Ga. based Apex HCM is a cloud-based payroll software company that serves some 350 payroll service bureaus that in turn provide payroll services to small and mid-sized businesses. At 4 a.m. on Tuesday, Feb. 19, Apex was alerted that its systems had been infected with a destructive strain of ransomware that encrypts computer files and demands payment for a digital key needed to unscramble the data.

The company quickly took all of its systems offline, and began notifying customers that it was trying to remediate a security threat. Over a series of bi-hourly updates, Apex kept estimating that it expected to restore service in a few hours, only to have to walk back those estimates almost every other time a new customer update went out.

Contacted Wednesday by an Apex client who was nervous about being unable to make this week’s payroll for his clients, KrebsOnSecurity reached out to Apex for comment. Ian Oxman, the company’s chief marketing officer, said the ransomware never touched customer data, but instead encrypted and disrupted everything in the company’s computer systems and at its off-site disaster recovery systems.

“We had just recently completed a pretty state-of-the-art disaster recovery plan off-site out and out of state that was mirroring our live system,” Oxman said. “But when the ransomware bomb went off, not only did it go through and infect our own network, it was then immediately picked up in our disaster recovery site, which made switching over to that site unusable.”

Oxman said Apex hired two outside security firms, and by Feb. 20 the consensus among all three was that paying the ransom was the fastest way to get back online. The company declined to specify how much was paid or what strain of ransomware was responsible for the attack.

“We paid the ransom, and it sucked,” Oxman said. “In respect for our clients who needed to get their businesses up and running that was going to be obviously the quicker path.”

Unfortunately for Apex, paying up didn’t completely solve its problems. For one thing, Oxman said, the decryption key they were given after paying the ransom didn’t work exactly as promised. Instead of restoring all files and folders to their pre-encrypted state, the decryption process broke countless file directories and rendered many executable files inoperable — causing even more delays.

“When they encrypt the data, that happens really fast,” he said. “When they gave us the keys to decrypt it, things didn’t go quite as cleanly.” Continue reading →


18
Feb 19

A Deep Dive on the Recent Widespread DNS Hijacking Attacks

The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy.

This post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful cyber espionage campaign back to a cascading series of breaches at key Internet infrastructure providers.

Before we delve into the extensive research that culminated in this post, it’s helpful to review the facts disclosed publicly so far. On Nov. 27, 2018, Cisco’s Talos research division published a write-up outlining the contours of a sophisticated cyber espionage campaign it dubbed “DNSpionage.”

The DNS part of that moniker refers to the global “Domain Name System,” which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.

Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets, so that all email and virtual private networking (VPN) traffic was redirected to an Internet address controlled by the attackers.

Talos reported that these DNS hijacks also paved the way for the attackers to obtain SSL encryption certificates for the targeted domains (e.g. webmail.finance.gov.lb), which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text.

On January 9, 2019, security vendor FireEye released its report, “Global DNS Hijacking Campaign: DNS Record Manipulation at Scale,” which went into far greater technical detail about the “how” of the espionage campaign, but contained few additional details about its victims.

About the same time as the FireEye report, the U.S. Department of Homeland Security issued a rare emergency directive ordering all U.S. federal civilian agencies to secure the login credentials for their Internet domain records. As part of that mandate, DHS published a short list of domain names and Internet addresses that were used in the DNSpionage campaign, although those details did not go beyond what was previously released by either Cisco Talos or FireEye.

That changed on Jan. 25, 2019, when security firm CrowdStrike published a blog post listing virtually every Internet address known to be (ab)used by the espionage campaign to date. The remainder of this story is based on open-source research and interviews conducted by KrebsOnSecurity in an effort to shed more light on the true extent of this extraordinary — and ongoing — attack.

The “indicators of compromise” related to the DNSpionage campaign, as published by CrowdStrike.

PASSIVE DNS

I began my research by taking each of the Internet addresses laid out in the CrowdStrike report and running them through both Farsight Security and SecurityTrails, services that passively collect data about changes to DNS records tied to tens of millions of Web site domains around the world.

Working backwards from each Internet address, I was able to see that in the last few months of 2018 the hackers behind DNSpionage succeeded in compromising key components of DNS infrastructure for more than 50 Middle Eastern companies and government agencies, including targets in Albania, Cyprus, Egypt, Iraq, Jordan, Kuwait, Lebanon, Libya, Saudi Arabia and the United Arab Emirates.

For example, the passive DNS data shows the attackers were able to hijack the DNS records for mail.gov.ae, which handles email for government offices of the United Arab Emirates. Here are just a few other interesting assets successfully compromised in this cyber espionage campaign:

-nsa.gov.iq: the National Security Advisory of Iraq
-webmail.mofa.gov.ae: email for the United Arab Emirates’ Ministry of Foreign Affairs
-shish.gov.al: the State Intelligence Service of Albania
-mail.mfa.gov.eg: mail server for Egypt’s Ministry of Foreign Affairs
-mod.gov.eg: Egyptian Ministry of Defense
-embassy.ly: Embassy of Libya
-owa.e-albania.al: the Outlook Web Access portal for the e-government portal of Albania
-mail.dgca.gov.kw: email server for Kuwait’s Civil Aviation Bureau
-gid.gov.jo: Jordan’s General Intelligence Directorate
-adpvpn.adpolice.gov.ae: VPN service for the Abu Dhabi Police
-mail.asp.gov.al: email for Albanian State Police
-owa.gov.cy: Microsoft Outlook Web Access for Government of Cyprus
-webmail.finance.gov.lb: email for Lebanon Ministry of Finance
-mail.petroleum.gov.eg: Egyptian Ministry of Petroleum
-mail.cyta.com.cy: Cyta telecommunications and Internet provider, Cyprus
-mail.mea.com.lb: email access for Middle East Airlines

The passive DNS data provided by Farsight and SecurityTrails also offered clues about when each of these domains was hijacked. In most cases, the attackers appear to have changed the DNS records for these domains (we’ll get to the “how” in a moment) so that the domains pointed to servers in Europe that they controlled.

Shortly after the DNS records for these TLDs were hijacked — sometimes weeks, sometimes just days or hours — the attackers were able to obtain SSL certificates for those domains from SSL providers Comodo and/or Let’s Encrypt. The preparation for several of these attacks can be seen at crt.sh, which provides a searchable database of all new SSL certificate creations.

Let’s take a closer look at one example. The CrowdStrike report references the Internet address 139.59.134[.]216 (see above), which according to Farsight was home to just seven different domains over the years. Two of those domains only appeared at that Internet address in December 2018, including domains in Lebanon and — curiously — Sweden.

The first domain was “ns0.idm.net.lb,” which is a server for the Lebanese Internet service provider IDM. From early 2014 until December 2018, ns0.idm.net.lb pointed to 194.126.10[.]18, which appropriately enough is an Internet address based in Lebanon. But as we can see in the screenshot from Farsight’s data below, on Dec. 18, 2018, the DNS records for this ISP were changed to point Internet traffic destined for IDM to a hosting provider in Germany (the 139.59.134[.]216 address).

Source: Farsight Security

Notice what else is listed along with IDM’s domain at 139.59.134[.]216, according to Farsight:

The DNS records for the domains sa1.dnsnode.net and fork.sth.dnsnode.net also were changed from their rightful home in Sweden to the German hosting provider controlled by the attackers in December. These domains are owned by Netnod Internet Exchange, a major global DNS provider based in Sweden. Netnod also operates one of the 13 “root” name servers, a critical resource that forms the very foundation of the global DNS system.

We’ll come back to Netnod in a moment. But first let’s look at another Internet address referenced in the CrowdStrike report as part of the infrastructure abused by the DNSpionage hackers: 82.196.11[.]127. This address in The Netherlands also is home to the domain mmfasi[.]com, which Crowdstrike says was one of the attacker’s domains that was used as a DNS server for some of the hijacked infrastructure.

As we can see in the screenshot above, 82.196.11[.]127 was temporarily home to another pair of Netnod DNS servers, as well as the server “ns.anycast.woodynet.net.” That domain is derived from the nickname of Bill Woodcock, who serves as executive director of Packet Clearing House (PCH).

PCH is a nonprofit entity based in northern California that also manages significant amounts of the world’s DNS infrastructure, particularly the DNS for more than 500 top-level domains and a number of the Middle East top-level domains targeted by DNSpionage. Continue reading →


12
Feb 19

Email Provider VFEmail Suffers ‘Catastrophic’ Hack

Email provider VFEmail has suffered what the company is calling “catastrophic destruction” at the hands of an as-yet unknown intruder who trashed all of the company’s primary and backup data in the United States. The firm’s founder says he now fears some 18 years’ worth of customer email may be gone forever.

Founded in 2001 and based in Milwaukee, Wisc., VFEmail provides email service to businesses and end users. The first signs of the attack came on the morning of Feb. 11, when the company’s Twitter account started fielding reports from users who said they were no longer receiving messages. VFEmail’s Twitter account responded that “external facing systems, of differing OS’s and remote authentication, in multiple data centers are down.”

Two hours later, VFEmail tweeted that it had caught a hacker in the act of formatting one of the company’s mail servers in The Netherlands.

“nl101 is up, but no incoming email,” read a tweet shortly thereafter. “I fear all US based data my be lost.”

“At this time, the attacker has formatted all the disks on every server,” wrote VFEmail. “Every VM [virtual machine] is lost. Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.”

In an update posted to the company’s Web site, VFEmail owner Rick Romero wrote that new email was being delivered and that efforts were being made to recover what user data could be salvaged.

“At this time I am unsure of the status of existing mail for US users,” Romero wrote. “If you have your own email client, DO NOT TRY TO MAKE IT WORK. If you reconnect your client to your new mailbox, all your local mail will be lost.”

Reached by KrebsOnSecurity on Tuesday morning, Romero said he was able to recover a backup drive hosted in The Netherlands, but that he fears all of the mail for U.S. users may be irreparably lost.

“I don’t have very high expectations of getting any U.S. data back,” Romero said in an online chat. Continue reading →


2
Jan 19

Cloud Hosting Provider DataResolution.net Battling Christmas Eve Ransomware Attack

Cloud hosting provider Dataresolution.net is struggling to bring its systems back online after suffering a ransomware infestation on Christmas Eve, KrebsOnSecurity has learned. The company says its systems were hit by the Ryuk ransomware, the same malware strain that crippled printing and delivery operations for multiple major U.S. newspapers over the weekend.

San Juan Capistrano, Calif. based Data Resolution LLC serves some 30,000 businesses worldwide, offering software hosting, business continuity systems, cloud computing and data center services.

The company has not yet responded to requests for comment. But according to a status update shared by Data Resolution with affected customers on Dec. 29, 2018, the attackers broke in through a compromised login account on Christmas Eve and quickly began infecting servers with the Ryuk ransomware strain.

Part of an update on the outage shared with Data Resolution customers via Dropbox on Dec. 29, 2018.

The intrusion gave the attackers control of Data Resolution’s data center domain, briefly locking the company out of its own systems. The update sent to customers states that Data Resolution shut down its network to halt the spread of the infection and to work through the process of cleaning and restoring infected systems.

Data Resolution is assuring customers that there is no indication any data was stolen, and that the purpose of the attack was to extract payment from the company in exchange for a digital key that could be used to quickly unlock access to servers seized by the ransomware.

A snippet of an update that Data Resolution shared with affected customers on Dec. 31, 2018.

The Ryuk ransomware strain was first detailed in an August 2018 report by security firm CheckPoint, which says the malware may be tied to a sophisticated North Korean hacking team known as the Lazarus Group.

Ryuk reportedly was the same malware that infected the Los Angeles Times‘ Olympic printing plant over the weekend, an attack that led to the disruption of newspaper printing and delivery services for a number of publications that rely on the plant — including the Los Angeles Times and the San Diego Union Tribune.

A status update shared by Data Resolution with affected customers earlier today indicates the cloud hosting provider is still working to restore email access and multiple databases for clients. The update also said Data Resolution is in the process of restoring service for companies relying on it to host installations of Dynamics GP, a popular software package that many organizations use for accounting and payroll services.  Continue reading →


3
Dec 18

Jared, Kay Jewelers Parent Fixes Data Leak

The parent firm of bling retailers Jared and Kay Jewelers has fixed a bug in the Web sites of both companies that exposed the order information for all of their online customers.

In mid-November 2018, KrebsOnSecurity heard from a Jared customer who found something curious after receiving a receipt via email for a pair of earrings he’d just purchased as a surprise gift for his girlfriend.

Dallas-based Web developer Brandon Sheehy discovered that slightly modifying the link in the confirmation email he received and pasting that into a Web browser revealed another customer’s order, including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer’s credit card number.

Sheehy said after discovering the weakness, his mind quickly turned to the various ways that crooks might exploit it.

“My first thought was they could track a package of jewelry to someone’s door and swipe it off their doorstep,” he said. “My second thought was that someone could call Jared’s customers and pretend to be Jared, reading the last four digits of the customer’s card and saying there’d been a problem with the order, and if they could get a different card for the customer they could run it right away and get the order out quickly. That would be a pretty convincing scam. Or just targeted phishing attacks.”

Concerned that his own information was similarly exposed, Sheehy contacted Jared parent company Signet Jewelers and asked them to fix the data exposure. When several weeks passed and Sheehy could still view his information and that of other Jared customers, he reached out to KrebsOnSecurity.

Scott Lancaster, chief information security officer at Signet, said the company did fix the problem for all future orders shortly after receiving a customer’s complaint. But Lancaster said Signet neglected to remedy the data exposure for all past orders until contacted by KrebsOnSecurity.

“When a customer first brought this matter to our attention in early November, we fixed it for all new orders going forward,” Lancaster said. “But we didn’t notice at the time that this applied to all past orders as well as future orders.” Continue reading →


1
Dec 18

What the Marriott Breach Says About Security

We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.

TO COMPANIES

For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.

It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.

The companies run by leaders and corporate board members with advanced security maturity are investing in ways to attract and retain more cybersecurity talent, and arranging those defenders in a posture that assumes the bad guys will get in.

This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that — left undetected for days, months or years — can cost the entire organism dearly.

The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. They’re reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer — anyone but the Chief Technology Officer.

They’re constantly testing their own networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). And, apropos of the Marriott breach, they are finding creative ways to cut down on the volume of sensitive data that they need to store and protect.

TO INDIVIDUALS

Likewise for individuals, it pays to accept two unfortunate and harsh realities:

Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.

Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.

Marriott is offering affected consumers a year’s worth of service from a company owned by security firm Kroll that advertises the ability to scour cybercrime underground markets for your data. Should you take them up on this offer? It probably can’t hurt as long as you’re not expecting it to prevent some kind of bad outcome. But once you’ve accepted Realities #1 and #2 above it becomes clear there is nothing such services could tell you that you don’t already know.

Once you’ve owned both of these realities, you realize that expecting another company to safeguard your security is a fool’s errand, and that it makes far more sense to focus instead on doing everything you can to proactively prevent identity thieves, malicious hackers or other ne’er-do-wells from abusing access to said data.

This includes assuming that any passwords you use at one site will eventually get hacked and leaked or sold online (see Reality #2), and that as a result it is an extremely bad idea to re-use passwords across multiple Web sites. For example, if you used your Starwood password anywhere else, that other account you used it at is now at a much higher risk of getting compromised. Continue reading →


30
Nov 18

Marriott: Data on 500 Million Guests Stolen in 4-Year Breach

Hospitality giant Marriott today disclosed a massive data breach exposing the personal and financial information on as many as a half billion customers who made reservations at any of its Starwood properties over the past four years.

Marriott said the breach involved unauthorized access to a database containing guest information tied to reservations made at Starwood properties on or before Sept. 10, 2018, and that its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014.

Marriott said the intruders encrypted information from the hacked database (likely to avoid detection by any data-loss prevention tools when removing the stolen information from the company’s network), and that its efforts to decrypt that data set was not yet complete. But so far the hotel network believes that the encrypted data cache includes information on up to approximately 500 million guests who made a reservation at a Starwood property.

“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences,” Marriott said in a statement released early Friday morning.

Marriott added that customer payment card data was protected by encryption technology, but that the company couldn’t rule out the possibility the attackers had also made off with the encryption keys needed to decrypt the data.

The hotel chain did not say precisely when in 2014 the breach was thought to have begun, but it’s worth noting that Starwood disclosed its own breach involving more than 50 properties in November 2015, just days after being acquired by Marriott. According to Starwood’s disclosure at the time, that earlier breach stretched back at least one year — to November 2014. Continue reading →


#####EOF##### The Coming Storm — Krebs on Security

The Coming Storm


31
Mar 19

Annual Protest Raises $250K to Cure Krebs

For the second year in a row, denizens of a large German-language online forum have donated more than USD $250,000 to cancer research organizations in protest of a story KrebsOnSecurity published in 2018 that unmasked the creators of Coinhive, a now-defunct cryptocurrency mining service that was massively abused by cybercriminals. Krebs is translated as “cancer” in German.

Images posted to the decidedly not-safe-for-work German-language image forum pr0gramm[.]com. Members have posted thousands of thank you receipts from cancer research organizations that benefited from their fight cancer/krebs campaign.

On March 26, 2018, KrebsOnSecurity published Who and What is Coinhive, which showed the founder of Coinhive was the co-creator of the German image hosting and discussion forum pr0gramm[dot]com (not safe for work).  I undertook the research because Coinhive’s code at the time was found on tens of thousands of hacked Web sites, and Coinhive seemed uninterested in curbing widespread abuse of its platform.

Pr0gramm’s top members accused KrebsOnSecurity of violating their privacy, even though all of the research published about them was publicly available online. In protest, the forum’s leaders urged members to donate money to medical research in a bid to find a cure for Krebs (i.e. “cancer”).

All told, thousands of Pr0gramm’s members donated more than USD $250,000 to cancer cure efforts within days of that March 2018 story. This week, the Pr0gramm administrators rallied members to commemorate that successful fundraiser with yet another.

“As announced there will be a donation marathon at anniversary day of Krebsaction,” Pr0gramm’s administrators announced. “Today, March 27th, we’re firing the starting shot for the marathon. Please tag your donation bills properly if they shall be accounted. The official tag is ‘krebsspende.’

According to a running tally on Pr0gramm’s site, this year’s campaign has raised 252,000 euros for cancer research so far, or about USD $284,000. That brings the total that Pr0gramm members have donated to cancer research to more than a half-million dollars.

As a bonus, Coinhive announced last month that it was shutting down, citing a perfect storm of negative circumstances. Coinhive had made structural changes to its systems following my 2018 story so that it would no longer profit from accounts used on hacked Web sites. Perhaps more importantly, the value of the cryptocurrency Coinhive’s code helped to mine dropped precipitously over the past year.


22
Mar 19

Alleged Child Porn Lord Faces US Extradition

In 2013, the FBI exploited a zero-day vulnerability in Firefox to seize control over a Dark Web network of child pornography sites. The alleged owner of that ring – 33-year-old Freedom Hosting operator Eric Eoin Marques – was arrested in Ireland later that year on a U.S. warrant and has been in custody ever since. This week, Ireland’s Supreme Court cleared the way for Marques to be extradited to the United States.

Eric Eoin Marques. Photo: Irishtimes.com

The FBI has called Marques the world’s largest facilitator of child porn. He is wanted on four charges linked to hidden child porn sites like “Lolita City” and “PedoEmpire,” which the government says were extremely violent, graphic and depicting the rape and torture of pre-pubescent children. Investigators allege that sites on Freedom Hosting had thousands of customers, and earned Marques more than $1.5 million.

For years Freedom Hosting had developed a reputation as a safe haven for hosting child porn. Marques allegedly operated Freedom Hosting as a turnkey solution for Web sites that hide their true location using Tor, an online anonymity tool.

The sites could only be accessed using the Tor Browser Bundle, which is built on the Firefox Web browser. On Aug. 4, 2013, U.S. federal agents exploited a previously unknown vulnerability in Firefox version 17 that allowed them to identify the true Internet addresses and computer names of people using Tor Browser to visit the child porn sites at Freedom Hosting.

Irish public media service RTE reported in 2013 that Marques briefly regained access to one of his hosting servers even after the FBI had seized control over it and changed the password, briefly locking the feds out of the system.

As Wired.com observed at the time, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”

Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. FBI investigators told the courts they feared he would try to destroy evidence and/or flee the country. FBI agents testified that Marques had made inquiries about how to get a visa and entry into Russia and set up residence and citizenship there. Continue reading →


21
Mar 19

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.

Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.

Continue reading →


8
Mar 19

MyEquifax.com Bypasses Credit Freeze PIN

Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.

Consumers in every U.S. state can now freeze their credit files for free with Equifax and two other major bureaus (Trans Union and Experian). A freeze makes it much harder for identity thieves to open new lines of credit in your name.

In the wake of Equifax’s epic 2017 data breach impacting some 148 million Americans, many people did freeze their credit files at the big three in response. But Equifax has changed a few things since then.

Seeking to manage my own credit freeze at equifax.com as I’d done in years past, I was steered toward creating an account at myequifax.com, which I was shocked to find I did not previously possess.

Getting an account at myequifax.com was easy. In fact, it was too easy. The portal asked me for an email address and suggested a longish, randomized password, which I accepted. I chose an old email address that I knew wasn’t directly tied to my real-life identity.

The next page asked me enter my SSN and date of birth, and to share a phone number (sharing was optional, so I didn’t). SSN and DOB data is widely available for sale in the cybercrime underground on almost all U.S. citizens. This has been the reality for years, and was so well before Equifax announced its big 2017 breach.

myEquifax said it couldn’t verify that my email address belonged to the Brian Krebs at that SSN and DOB. It then asked a series of four security questions — so-called “knowledge-based authentication” or KBA questions designed to see if I could recall bits about my recent financial history.

In general, the data being asked about in these KBA quizzes is culled from public records, meaning that this information likely is publicly available in some form — either digitally or in-person. Indeed, I have long assailed the KBA industry as creating a false sense of security that is easily bypassed by fraudsters.

One potential problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

The first three multiple-guess questions myEquifax asked were about loans or debts that I have never owed. Thus, the answer to the first three KBA questions asked was, “none of the above.” The final question asked for the name of our last mortgage company. Again, information that is not hard to find.

Satisfied with my answers, Equifax informed me that yes indeed I was Brian Krebs and that I could now manage my existing freeze with the company. After requesting a thaw, I was brought to a vintage Equifax page that looked nothing like myEquifax’s sunnier new online plumage.

Equifax’s site says it will require users requesting changes to an existing credit freeze to have access to their freeze PIN and be ready to supply it. But Equifax never actually asks for the PIN.

This page informed me that if I previously secured a freeze of my credit file with Equifax and been given a PIN needed to undo that status in any way, that I should be ready to provide said information if I was requesting changes via phone or email. 

In other words, credit freezes and thaws requested via myEquifax don’t require users to supply any pre-existing PIN.

Fine, I said. Let’s do this.

myEquifax then asked for the date range requested to thaw my credit freeze. Submit.

“We’ve successfully processed your security freeze request!,” the site declared.

This also was exclaimed in an email to the random old address I’d used at myEquifax, although the site never once made any attempt to validate that I had access to this inbox, something that could be done by simply sending a confirmation link that needs to be clicked to activate the account.

In addition, I noticed Equifax added my old mobile number to my account, even though I never supplied this information and was not using this phone when I created the myEquifax account.

Successfully unfreezing (temporarily thawing) my credit freeze did not require me to ever supply my previously-issued freeze PIN from Equifax. Anyone who knew the vaguest and most knowable details about me could have done the same.

myEquifax.com does not currently seek to verify the account by requesting confirmation via a phone call or text to the phone number associated with the account (also, recall that even providing a phone number was optional).

Happily, I did discover then when I used a different computer and Internet address to try to open up another account under my name, date of birth and SSN, it informed me that a profile already existed for this information. This suggests that signing up at myEquifax is probably a good idea, given that the alternative is more risky.

It was way too easy to create my account, but I’m not saying everyone will be able to create one online. In testing with several readers over the past 24 hours, myEquifax seems to be returning a lot more error pages at the KBA stage of the process now, prompting people to try again later or make a request via email or phone.

Equifax spokesperson Nancy Bistritz-Balkan said not requiring a PIN for people with existing freezes was by design.

“With myEquifax, we created an online experience that enables consumers to securely and conveniently manage security freezes and fraud alerts,” Bistritz-Balkan said..

“We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud alerts online without the use of a PIN,” she continued. “The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time.” Continue reading →


18
Feb 19

A Deep Dive on the Recent Widespread DNS Hijacking Attacks

The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy.

This post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful cyber espionage campaign back to a cascading series of breaches at key Internet infrastructure providers.

Before we delve into the extensive research that culminated in this post, it’s helpful to review the facts disclosed publicly so far. On Nov. 27, 2018, Cisco’s Talos research division published a write-up outlining the contours of a sophisticated cyber espionage campaign it dubbed “DNSpionage.”

The DNS part of that moniker refers to the global “Domain Name System,” which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.

Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets, so that all email and virtual private networking (VPN) traffic was redirected to an Internet address controlled by the attackers.

Talos reported that these DNS hijacks also paved the way for the attackers to obtain SSL encryption certificates for the targeted domains (e.g. webmail.finance.gov.lb), which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text.

On January 9, 2019, security vendor FireEye released its report, “Global DNS Hijacking Campaign: DNS Record Manipulation at Scale,” which went into far greater technical detail about the “how” of the espionage campaign, but contained few additional details about its victims.

About the same time as the FireEye report, the U.S. Department of Homeland Security issued a rare emergency directive ordering all U.S. federal civilian agencies to secure the login credentials for their Internet domain records. As part of that mandate, DHS published a short list of domain names and Internet addresses that were used in the DNSpionage campaign, although those details did not go beyond what was previously released by either Cisco Talos or FireEye.

That changed on Jan. 25, 2019, when security firm CrowdStrike published a blog post listing virtually every Internet address known to be (ab)used by the espionage campaign to date. The remainder of this story is based on open-source research and interviews conducted by KrebsOnSecurity in an effort to shed more light on the true extent of this extraordinary — and ongoing — attack.

The “indicators of compromise” related to the DNSpionage campaign, as published by CrowdStrike.

PASSIVE DNS

I began my research by taking each of the Internet addresses laid out in the CrowdStrike report and running them through both Farsight Security and SecurityTrails, services that passively collect data about changes to DNS records tied to tens of millions of Web site domains around the world.

Working backwards from each Internet address, I was able to see that in the last few months of 2018 the hackers behind DNSpionage succeeded in compromising key components of DNS infrastructure for more than 50 Middle Eastern companies and government agencies, including targets in Albania, Cyprus, Egypt, Iraq, Jordan, Kuwait, Lebanon, Libya, Saudi Arabia and the United Arab Emirates.

For example, the passive DNS data shows the attackers were able to hijack the DNS records for mail.gov.ae, which handles email for government offices of the United Arab Emirates. Here are just a few other interesting assets successfully compromised in this cyber espionage campaign:

-nsa.gov.iq: the National Security Advisory of Iraq
-webmail.mofa.gov.ae: email for the United Arab Emirates’ Ministry of Foreign Affairs
-shish.gov.al: the State Intelligence Service of Albania
-mail.mfa.gov.eg: mail server for Egypt’s Ministry of Foreign Affairs
-mod.gov.eg: Egyptian Ministry of Defense
-embassy.ly: Embassy of Libya
-owa.e-albania.al: the Outlook Web Access portal for the e-government portal of Albania
-mail.dgca.gov.kw: email server for Kuwait’s Civil Aviation Bureau
-gid.gov.jo: Jordan’s General Intelligence Directorate
-adpvpn.adpolice.gov.ae: VPN service for the Abu Dhabi Police
-mail.asp.gov.al: email for Albanian State Police
-owa.gov.cy: Microsoft Outlook Web Access for Government of Cyprus
-webmail.finance.gov.lb: email for Lebanon Ministry of Finance
-mail.petroleum.gov.eg: Egyptian Ministry of Petroleum
-mail.cyta.com.cy: Cyta telecommunications and Internet provider, Cyprus
-mail.mea.com.lb: email access for Middle East Airlines

The passive DNS data provided by Farsight and SecurityTrails also offered clues about when each of these domains was hijacked. In most cases, the attackers appear to have changed the DNS records for these domains (we’ll get to the “how” in a moment) so that the domains pointed to servers in Europe that they controlled.

Shortly after the DNS records for these TLDs were hijacked — sometimes weeks, sometimes just days or hours — the attackers were able to obtain SSL certificates for those domains from SSL providers Comodo and/or Let’s Encrypt. The preparation for several of these attacks can be seen at crt.sh, which provides a searchable database of all new SSL certificate creations.

Let’s take a closer look at one example. The CrowdStrike report references the Internet address 139.59.134[.]216 (see above), which according to Farsight was home to just seven different domains over the years. Two of those domains only appeared at that Internet address in December 2018, including domains in Lebanon and — curiously — Sweden.

The first domain was “ns0.idm.net.lb,” which is a server for the Lebanese Internet service provider IDM. From early 2014 until December 2018, ns0.idm.net.lb pointed to 194.126.10[.]18, which appropriately enough is an Internet address based in Lebanon. But as we can see in the screenshot from Farsight’s data below, on Dec. 18, 2018, the DNS records for this ISP were changed to point Internet traffic destined for IDM to a hosting provider in Germany (the 139.59.134[.]216 address).

Source: Farsight Security

Notice what else is listed along with IDM’s domain at 139.59.134[.]216, according to Farsight:

The DNS records for the domains sa1.dnsnode.net and fork.sth.dnsnode.net also were changed from their rightful home in Sweden to the German hosting provider controlled by the attackers in December. These domains are owned by Netnod Internet Exchange, a major global DNS provider based in Sweden. Netnod also operates one of the 13 “root” name servers, a critical resource that forms the very foundation of the global DNS system.

We’ll come back to Netnod in a moment. But first let’s look at another Internet address referenced in the CrowdStrike report as part of the infrastructure abused by the DNSpionage hackers: 82.196.11[.]127. This address in The Netherlands also is home to the domain mmfasi[.]com, which Crowdstrike says was one of the attacker’s domains that was used as a DNS server for some of the hijacked infrastructure.

As we can see in the screenshot above, 82.196.11[.]127 was temporarily home to another pair of Netnod DNS servers, as well as the server “ns.anycast.woodynet.net.” That domain is derived from the nickname of Bill Woodcock, who serves as executive director of Packet Clearing House (PCH).

PCH is a nonprofit entity based in northern California that also manages significant amounts of the world’s DNS infrastructure, particularly the DNS for more than 500 top-level domains and a number of the Middle East top-level domains targeted by DNSpionage. Continue reading →


4
Feb 19

Crooks Continue to Exploit GoDaddy Hole

Godaddy.com, the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal.

On January 22, KrebsOnSecurity published research showing that crooks behind a series of massive sextortion and bomb threat spam campaigns throughout 2018 — an adversary that’s been dubbed “Spammy Bear” —  achieved an unusual amount of inbox delivery by exploiting a weakness at GoDaddy which allowed anyone to add a domain to their GoDaddy account without validating that they actually owned the domain.

Spammy Bear targeted dormant but otherwise legitimate domains that had one thing in common: They all at one time used GoDaddy’s hosted Domain Name System (DNS) service. Researcher Ron Guilmette discovered that Spammy Bear was able to hijack thousands of these dormant domains for spam simply by registering free accounts at GoDaddy and telling the company’s automated DNS service to allow the sending of email with those domains from an Internet address controlled by the spammers.

Very soon after that story ran, GoDaddy said it had put in place a fix for the problem, and had scrubbed more than 4,000 domain names used in the spam campaigns that were identified in my Jan. 22 story. But on or around February 1, a new spam campaign that leveraged similarly hijacked domains at GoDaddy began distributing Gand Crab, a potent strain of ransomware.

As noted in a post last week at the blog MyOnlineSecurity, the Gand Crab campaign used a variety of lures, including fake DHL shipping notices and phony AT&T e-fax alerts. The domains documented by MyOnlineSecurity all had their DNS records altered between Jan. 31 and Feb. 1 to allow the sending of email from Internet addresses tied to two ISPs identified in my original Jan. 22 report on the GoDaddy weakness.

“What makes these malware laden emails much more likely to be delivered is the fact that the sending domains all have a good reputation,” MyOnlineSecurity observed. “There are dozens, if not hundreds of domains involved in this particular campaign. Almost all the domains have been registered for many years, some for more than 10 years.”

A “passive DNS” lookup shows the DNS changes made by the spammers on Jan. 31 for one of the domains used in the Gand Crab spam campaign documented by MyOnlineSecurity. Image: Farsight Security.

In a statement provided to KrebsOnSecurity, GoDaddy said the company was confident the steps it took to address the problem were working as intended, and that GoDaddy had simply overlooked the domains abused in the recent GandCrab spam campaign.

“The domains used in the Gand Crab campaign were modified before then, but we missed them in our initial sweep,” GoDaddy spokesperson Dan Race said. “While we are otherwise confident of the mitigation steps we took to prevent the dangling DNS issue, we are working to identify any other domains that need to be fixed.”

“We do not believe it is possible for a person to hijack the DNS of one or more domains using the same tactics as used in the Spammy Bear and Gand Crab campaigns,” Race continued. “However, we are assessing if there are other methods that may be used to achieve the same results, and we continue our normal monitoring for account takeover. We have also set up a reporting alias at dns-spam-concerns@godaddy.com to make it easier to report any suspicious activity or any details that might help our efforts to stop this kind of abuse.”

That email address is likely to receive quite a few tips in the short run. Virus Bulletin editor Martijn Grooten this week published his analysis on a January 29 malware email campaign that came disguised as a shipping notice from UPS. Grooten said the spam intercepted from that campaign included links to an Internet address that was previously used to distribute GandCrab, and that virtually all of the domains seen sending the fake UPS notices used one of two pairs of DNS servers managed by GoDaddy.

“The majority of domains, which we think had probably had their DNS compromised, still point to the same IP address though,” Grooten wrote. That IP address is currently home to a Web site that sells stolen credit card data.

The fake UPS message used in a Jan. 29 Gand Crab malware spam campaign. Source: Virus Bulletin.

Grooten told KrebsOnSecurity he suspects criminals may have succeeded at actually compromising several of GoDaddy’s hosted DNS servers. For one thing, he said, the same pair (sometimes two pairs) of name servers keep appearing in the same campaign.

“In quite a few campaigns we saw domains used that were alphabetically close, [and] there are other domains used that had moved away from GoDaddy before these campaigns, yet were still used,” Grooten said. “It’s also interesting to note that hundreds — and perhaps thousands — of domains had their DNS changed within a short period of time. Such a thing is hard to do if you have to log into individual accounts.”

GoDaddy said there has been no such breach.

“Our DNS servers have not been compromised,” Race said. “The examples provided were dangled domains that had zone files created by the threat actor prior to when we implemented our mitigation on January 23. These domain names were parked until the threat actors activated them. They had the ability to do that because they owned the zone files already. We’re continuing to review customer accounts for other potential zone entries.”
Continue reading →


23
Jan 19

How the U.S. Govt. Shutdown Harms Security

The ongoing partial U.S. federal government shutdown is having a tangible, negative impact on cybercrime investigations, according to interviews with federal law enforcement investigators and a report issued this week by a group representing the interests of FBI agents. Even if lawmakers move forward on new proposals to reopen the government, sources say the standoff is likely to have serious repercussions for federal law enforcement agencies for years to come.

One federal agent with more than 20 years on the job told KrebsOnSecurity the shutdown “is crushing our ability to take the fight to cyber criminals.”

“The talent drain after this is finally resolved will cost us five years,” said the source, who asked to remain anonymous because he was not authorized to speak to the news media. “Literally everyone I know who is able to retire or can find work in the private sector is actively looking, and the smart private companies are aware and actively recruiting. As a nation, we are much less safe from a cyber security posture than we were a month ago.”

The source said his agency can’t even get agents and analysts the higher clearances needed for sensitive cases because everyone who does the clearance processing is furloughed.

“Investigators who are eligible to retire or who simply wish to walk away from their job aren’t retiring or quitting now because they can’t even be processed out due to furlough of the organization’s human resources people,” the source said. “These are criminal investigations involving national security. It’s also a giant distraction and people aren’t as focused.”

The source’s comments echoed some of the points made in a 72-page report (PDF) released this week by the FBI Agents Association, a group that advocates on behalf of active and retired FBI special agents.

“Today we have no funds for making Confidential Human Source payments,” reads a quote from the FBIAA report, attributed to an agent in the FBI’s northeast region. “In my situation, I have two sources that support our national security cyber mission that no longer have funding. They are critical sources providing tripwires and intelligence that protect the United States against our foreign adversaries. The loss in productivity and pertinent intelligence is immeasurable.”

My federal law enforcement source mentioned his agency also was unable to pay confidential informants for their help with ongoing investigations.

“We are having the same problems like not being able to pay informants, no travel, critical case coordination meetings postponed, and no procurements to further the mission,” the source said.

The extended shutdown directly affects more than 800,000 workers, many of them furloughed or required to work without pay. Some federal employees, now missing at least two back-to-back paychecks, are having trouble keeping food on the table. CNN reports that FBI field offices across the country are opening food banks to help support special agents and staff struggling without pay.

An extended lack of pay is forcing many agents to seek side hustles and jobs, despite rules that seek to restrict such activity, according to media reports. Missing multiple paychecks also can force investigators to take on additional debt. This is potentially troublesome because excess debt down the road can lead to problems keeping one’s security clearances.

Excessive debt is a threat to clearances because it can make people more susceptible to being drawn into illegal activities or taking bribes for money, which in turn may leave them vulnerable to extortion. Indeed, this story from Clearancejobs.com observes that the shutdown may be inadvertently creating new recruiting opportunities for foreign intelligence operatives.

“If you are a hostile intelligence service human intelligence (HUMINT) targeting officer you are hoping this situation lasts a long time and has a multitude of unintended consequences affecting the cleared government employee population,” writes Christopher Burgess. Continue reading →


22
Jan 19

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned.

Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains tied to GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the world’s most trusted corporate names and brands.

In July 2018, email users around the world began complaining of receiving spam which began with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid. On December 13, 2018, a similarly large spam campaign was blasted out, threatening that someone had planted bombs within the recipient’s building that would be detonated unless a hefty bitcoin ransom was paid by the end of the business day.

Experts at Cisco Talos and other security firms quickly drew parallels between the two mass spam campaigns, pointing to a significant overlap in Russia-based Internet addresses used to send the junk emails. Yet one aspect of these seemingly related campaigns that has been largely overlooked is the degree to which each achieved an unusually high rate of delivery to recipients.

Large-scale spam campaigns often are conducted using newly-registered or hacked email addresses, and/or throwaway domains. The trouble is, spam sent from these assets is trivial to block because anti-spam and security systems tend to discard or mark as spam any messages that appear to come from addresses which have no known history or reputation attached to them.

However, in both the sextortion and bomb threat spam campaigns, the vast majority of the email was being sent through Web site names that had already existed for some time, and indeed even had a trusted reputation. Not only that, new research shows many of these domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies. 

That’s according to Ron Guilmette, a dogged anti-spam researcher. Researching the history and reputation of thousands of Web site names used in each of the extortionist spam campaigns, Guilmette made a startling discovery: Virtually all of them had at one time received service from GoDaddy.com, a Scottsdale, Ariz. based domain name registrar and hosting provider.

Guilmette told KrebsOnSecurity he initially considered the possibility that GoDaddy had been hacked, or that thousands of the registrar’s customers perhaps had their GoDaddy usernames and passwords stolen.

But as he began digging deeper, Guilmette came to the conclusion that the spammers were exploiting an obscure — albeit widespread — weakness among hosting companies, cloud providers and domain registrars that was first publicly detailed in 2016.

EARLY WARNING SIGNS

In August 2016, security researcher Matthew Bryant wrote about a weakness that could be used to hijack email service for 20,000 established domain names at a U.S. based hosting provider. A few months later, Bryant warned that the same technique could be leveraged to send spam from more than 120,000 trusted domains across multiple providers. And Guilmette says he now believes the attack method detailed by Bryant also explains what’s going on in the more recent sextortion and bomb threat spams.

Grasping the true breadth of Bryant’s prescient discovery requires a brief and simplified primer on how Web sites work. Your Web browser knows how to find a Web site name like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.

When someone wants to register a domain at a registrar like GoDaddy, the registrar will typically provide two sets of DNS records that the customer then needs to assign to his domain. Those records are crucial because they allow Web browsers to figure out the Internet address of the hosting provider that’s serving that Web site domain. Like many other registrars, GoDaddy lets new customers use their managed DNS services for free for a period of time (in GoDaddy’s case it’s 30 days), after which time customers must pay for the service.

The crux of Bryant’s discovery was that the spammers in those 2016 campaigns learned that countless hosting firms and registrars would allow anyone to add a domain to their account without ever validating that the person requesting the change actually owned the domain. Here’s what Bryant wrote about the threat back in 2016:

“In addition to the hijacked domains often having past history and a long age, they also have WHOIS information which points to real people unrelated to the person carrying out the attack. Now if an attacker launches a malware campaign using these domains, it will be harder to pinpoint who/what is carrying out the attack since the domains would all appear to be just regular domains with no observable pattern other than the fact that they all use cloud DNS. It’s an attacker’s dream, troublesome attribution and an endless number of names to use for malicious campaigns.”

SAY WHAT?

For a more concrete example of what’s going on here, we’ll look at just one of the 4,000+ domains that Guilmette found were used in the Dec. 13, 2018 bomb threat hoax. Virtualfirefox.com is a domain registered via GoDaddy in 2013 and currently owned by The Mozilla Corporation, a wholly owned subsidiary of the Mozilla Foundation — the makers of the popular Firefox Web browser.

The domain’s registration has been renewed each year since its inception, but the domain itself has sat dormant for some time. When it was initially set up, it took advantage of two managed DNS servers assigned to it by GoDaddy — ns17.domaincontrol.com, and ns18.domaincontrol.com.

GoDaddy is a massive hosting provider, and it has more than 100 such DNS servers to serve the needs of its clients. To hijack this domain, the attackers in the December 2018 spam campaign needed only to have created a free account at GoDaddy that was assigned the exact same DNS servers handed out to Virtualfirefox.com (ns17.domaincontrol.com and ns18.domaincontrol.com). After that, the attackers simply claim ownership over the domain, and tell GoDaddy to allow the sending of email with that domain from an Internet address they control.

Mozilla spokesperson Ellen Canale said Mozilla took ownership of virtualfirefox.com in September 2017 after a trademark dispute, but that the DNS nameserver for the record was not reset until January of 2019.

“This oversight created a state where the DNS pointed to a server controlled by a third party, leaving it vulnerable to misuse,” Canale said. “We’ve reviewed the configuration of both our registrar and nameservers and have found no indication of misuse. In addition to addressing the immediate problem, we have reviewed the entire catalog of properties we own to ensure they are properly configured.”

According to both Guilmette and Bryant, this type of hijack is possible because GoDaddy — like many other managed DNS providers — does little to check whether someone with an existing account (free or otherwise) who is claiming ownership over a given domain actually controls that domain name.

Contacted by KrebsOnSecurity, GoDaddy acknowledged the authentication weakness documented by Guilmette.

“After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process,” the company said in an emailed statement.

“We’ve identified a fix and are taking corrective action immediately,” the statement continued. “While those responsible were able to create DNS entries on dormant domains, at no time did account ownership change nor was customer information exposed.” Continue reading →


3
Jan 19

Apple Phone Phishing Scams Getting Better

A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that display’s Apple’s logo, address and real phone number, warning about a data breach at the company. The scary part is that if the recipient is an iPhone user who then requests a call back from Apple’s legitimate customer support Web page, the fake call gets indexed in the iPhone’s “recent calls” list as a previous call from the legitimate Apple Support line.

Jody Westby is the CEO of Global Cyber Risk LLC,  a security consulting firm based in Washington, D.C. Westby said earlier today she received an automated call on her iPhone warning that multiple servers containing Apple user IDs had been compromised (the same scammers had called her at 4:34 p.m. the day before, but she didn’t answer that call). The message said she needed to call a 1-866 number before doing anything else with her phone.

Here’s what her iPhone displayed about the identity of the caller when they first tried her number at 4:34 p.m. on Jan. 2, 2019:

What Westby’s iPhone displayed as the scam caller’s identity. Note that it lists the correct Apple phone number, street address and Web address (minus the https://).

Note in the above screen shot that it lists Apple’s actual street address, their real customer support number, and the real Apple.com domain (albeit without the “s” at the end of “http://”). The same caller ID information showed up when she answered the scammers’ call this morning.

Westby said she immediately went to the Apple.com support page (https://www.support.apple.com) and requested to have a customer support person call her back. The page displayed a “case ID” to track her inquiry, and just a few minutes later someone from the real Apple Inc. called her and referenced that case ID number at the start of the call.

Westby said the Apple agent told her that Apple had not contacted her, that the call was almost certainly a scam, and that Apple would never do that — all of which she already knew. But when Westby looked at her iPhone’s recent calls list, she saw the legitimate call from Apple had been lumped together with the scam call that spoofed Apple:

The fake call spoofing Apple — at 11:44 a.m. — was lumped in the same recent calls list as the legitimate call from Apple. The call at 11:47 was the legitimate call from Apple. The call listed at 11:51 a.m. was the result of Westby accidentally returning the call from the scammers, which she immediately disconnected.

The call listed at 11:51 a.m. was the result of Westby accidentally returning the call from the scammers, which she immediately disconnected.

“I told the Apple representative that they ought to be telling people about this, and he said that was a good point,” Westby said. “This was so convincing I’d think a lot of other people will be falling for it.” Continue reading →


13
Nov 18

That Domain You Forgot to Renew? Yeah, it’s Now Stealing Credit Cards

If you own a domain name that gets decent traffic and you fail to pay its annual renewal fee, chances are this mistake will be costly for you and for others. Lately, neglected domains have been getting scooped up by crooks who use them to set up fake e-commerce sites that steal credit card details from unwary shoppers.

For nearly 10 years, Portland, Ore. resident Julie Randall posted pictures for her photography business at julierandallphoto-dot-com, and used an email address at that domain to communicate with clients. The domain was on auto-renew for most of that time, but a change in her credit card details required her to update her records at the domain registrar — a task Randall says she now regrets putting off.

Julierandallphoto-dot-com is now one of hundreds of fake ecommerce sites set up to steal credit card details.

That’s because in June of this year the domain expired, and control over her site went to someone who purchased it soon after. Randall said she didn’t notice at the time because she was in the middle of switching careers, didn’t have any active photography clients, and had gotten out of the habit of checking that email account.

Randall said she only realized she’d lost her domain after failing repeatedly to log in to her Instagram account, which was registered to an email address at julierandallphoto-dot-com.

“When I tried to reset the account password through Instagram’s procedure, I could see that the email address on the account had been changed to a .ru email,” Randall told KrebsOnSecurity. “I still don’t have access to it because I don’t have access to the email account tied to my old domain. It feels a little bit like the last ten years of my life have kind of been taken away.”

Visit julierandallphoto.com today and you’ll see a Spanish language site selling Reebok shoes (screenshot above). The site certainly looks like a real e-commerce shop; it has plenty of product pages and images, and of course a shopping cart. But the site is noticeably devoid of any SSL certificate (the entire site is http://, not https://), and the products for sale are all advertised for roughly half their normal cost.

A review of the neighboring domains that reside at Internet addresses adjacent to julierandallphoto-dot-com (196.196.152/153.x, etc.) shows hundreds of other domains that were apparently registered upon expiration over the past few months and which now feature similar http-only online shops in various languages pimping low-priced, name brand shoes and other clothing.

Until earlier this year, wildcatgroomers-dot-com belonged to a company in Wisconsin that sold equipment for grooming snowmobile trails. It’s now advertising running shoes. Likewise, kavanaghsirishpub-dot-com corresponded to a pub and restaurant in Tennessee until mid-2018; now it’s pretending to sell cheap Nike shoes.

So what’s going here?

According to an in-depth report jointly released today by security firms Flashpoint and RiskIQ, the sites are almost certainly set up simply to siphon payment card data from unwary shoppers looking for specific designer footwear and other clothing at bargain basement prices.

“We have observed more than 800 sites hosting these brand impersonation/skimming stores since June 2018,” the report notes.

Continue reading →


#####EOF##### Annual Protest Raises $250K to Cure Krebs — Krebs on Security

31
Mar 19

Annual Protest Raises $250K to Cure Krebs

For the second year in a row, denizens of a large German-language online forum have donated more than USD $250,000 to cancer research organizations in protest of a story KrebsOnSecurity published in 2018 that unmasked the creators of Coinhive, a now-defunct cryptocurrency mining service that was massively abused by cybercriminals. Krebs is translated as “cancer” in German.

Images posted to the decidedly not-safe-for-work German-language image forum pr0gramm[.]com. Members have posted thousands of thank you receipts from cancer research organizations that benefited from their fight cancer/krebs campaign.

On March 26, 2018, KrebsOnSecurity published Who and What is Coinhive, which showed the founder of Coinhive was the co-creator of the German image hosting and discussion forum pr0gramm[dot]com (not safe for work).  I undertook the research because Coinhive’s code at the time was found on tens of thousands of hacked Web sites, and Coinhive seemed uninterested in curbing widespread abuse of its platform.

Pr0gramm’s top members accused KrebsOnSecurity of violating their privacy, even though all of the research published about them was publicly available online. In protest, the forum’s leaders urged members to donate money to medical research in a bid to find a cure for Krebs (i.e. “cancer”).

All told, thousands of Pr0gramm’s members donated more than USD $250,000 to cancer cure efforts within days of that March 2018 story. This week, the Pr0gramm administrators rallied members to commemorate that successful fundraiser with yet another.

“As announced there will be a donation marathon at anniversary day of Krebsaction,” Pr0gramm’s administrators announced. “Today, March 27th, we’re firing the starting shot for the marathon. Please tag your donation bills properly if they shall be accounted. The official tag is ‘krebsspende.’

According to a running tally on Pr0gramm’s site, this year’s campaign has raised 252,000 euros for cancer research so far, or about USD $284,000. That brings the total that Pr0gramm members have donated to cancer research to more than a half-million dollars.

As a bonus, Coinhive announced last month that it was shutting down, citing a perfect storm of negative circumstances. Coinhive had made structural changes to its systems following my 2018 story so that it would no longer profit from accounts used on hacked Web sites. Perhaps more importantly, the value of the cryptocurrency Coinhive’s code helped to mine dropped precipitously over the past year.

Tags: ,

57 comments

  1. So just to make sure I’ve got this straight, you exposed some scammers and in response they ran a collection for charity? Twice?

    Has anyone confirmed that these donations are actually going to charity and not to the scammers? Just wondering, because dkms.de is in Ireland, and Deutsche Krebshilfe is krebshilfe.de.

    • He exposed some shady stuff regarding Coinhive, e.g. them profiting from hacked websites were code was inserted that generated crypto-currency without visitors or the owners knowing.
      While the Coinhive Guys didnt hack those sites or whatever, they still got profit from it and didnt actively surpress or work against profit from hacked sites. There were some connections between the Coinhive Admins and some Admins (I think?) from the Imageboard. I am not a 100% sure what exactly the connection was, but I think some of the Coinhive Guys also ran the Imageboard.
      The Imageboard Guys were not happy to have their data exposed (although it was technically publicly available? – In Germany Privacy is valued higher/differently then in America though, the Outrage is kind of an cultural thing. In Germany you usually also do not expose the Names of accused criminals until proven guilty in a court, just to give you some insight on why those peeps react the way they do.
      Regarding if the charity actually receives the money – Yes, they do. The money isnt really collected by pr0gramm, instead every individual user donates the money directly to the charity and only posts the receipt afterwards, which is then (manually? not sure how they do it) counted and added to the total donation sum.
      The charitys themself are well known and legit, so no scam there 🙂 All in all.. I mean… if you wanna protest.. thats the way to go I think.

      • They count the sum over tags. You can up and downvote tags on that imageboard so the euro tag with the highest upvotes is probably the right one.

        If someone tries to scam with wrong tags, they will get banned. To gain access to this imageboard you have to be invited or have to pay 14 euro so its pretty safe.

        • To correct you on that one:
          They let a crawler search for multiple tags of donations. This crawler then provided it to a interface where they manually reviewed it 3 times. Using the tags would be pretty short thought.

    • The users donate directly to the charitys. Dkms was chosen because some members of pr0gramm shared storys on how they donated bone marrow.

    • Yes it is genuine.
      And the protest is not because of the scammers, but because our mods were targeted!

    • mistermeeseeks

      The community started the donations and the members choose to which organisation they want to donate. Then they post a screenshot of the bill and upload it.
      Its 100% legit, i’m a member of the community and i also know the diffrent organisations.
      They did’nt invented coinhive to scam people, but to implement ist on the website so some users could voluntary use it in order to get premium. It later was used as a scam and Krebs also doxxed some operators of pr0gramm who didn’t worked on coinhive, as far as i know.

      • “They did’nt invented coinhive to scam people.” — You actually expect anyone outside your little group to believe this BS.

        “Krebs also doxxed some operators of pr0gramm who didn’t worked on coinhive” — Doxxed them??? He stated their names which was already available publicly anyway. You Germans do realize that there is no other society on Earth that treats publicly available information as a matter of privacy. Your pathology has led to the EU passing some ridiculous laws that is only going to make cyber crime worse and the criminals harder to find. Maybe we should send you the bill.

        • It might help you to understand the European mindset. We value among other things honesty, compassion and privacy, values you Ameriturds lacks an understanding of. Just look at your president, the Orange Emperor.

          • Just an Average Ameriturd

            “We value among other things honesty, compassion and privacy, values you Ameriturds” — From your comment and your username, it seems you’re very compassionate… great job, 10/10, would hypocrisy again.

          • “Compassion” is something you value? Hmm, I don’t see where calling people names and having a username like that is compassionate. Seems to me like you’re inexcusable to judge others for the same things you’re judging them for.

          • Oh the irony in your comment. You sure are showing lots of compassion in your comment and username.

          • Yes, Europe values honesty, compassion, and privacy. Just read a little European history.

          • I think there is a misunderstanding here. What these users had was not privacy, but lack of publicity. Those are not the same thing. I think everyone cares about lack of publicity. But most don’t care about privacy.

            Think of it this way: no one expects to have any privacy while they are shopping in public. If some one sees them and recognizes them, they haven’t had their privacy violated. However, if there are a crowd of photographers and videographers shouting questions at them and live streaming the whole thing to an audience of millions, well that is publicity. Most people don’t want that.

          • US-SUX said: “ We value among other things honesty, compassion and privacy, values you Ameriturds lacks an understanding of. Just look at your president, the Orange Emperor.”
            First of all, what a laugh for someone going by the name US-SUX to preach that they’re a culture of compassion and honesty while in the same breath namecalling Americans. You cannot get more hypocritical than that!

            Slandering an entire populace of over 320 million people because of said Orange Emporer is absolutely childlisb and speaks more about you being a close-minded numpt. If going by your extremely skewed big0ted, blanket statement of logic, then we should define all elderly and deceased Germans as loving a crazy Moustached Diktat and all their German offspring living today are simple little diktats in the making? I suppose I should think all Russians are nihilists, Venezuelans helpless fools, Somalians are all ruthless pirates, and every French and Italian man is either a wimp with a Napoleon-complex or an over-coddled mama’s boy. (I know none of it is true but, hey, you’re the one choosing to perpetuate ignorant stereotypes of individuals based solely on a nations current leadership).
            Your alleged “altruism” is not pure but rather a convoluted German arrogance, herd mentality spiked with absurditude and wilful misunderstanding of anyone or thing you view as different than you. Perhaps the German stereotype isn’t so far off after all.

            BTW, I loathe the Orange One, so do not for one second think this is in defence of that idjit.

        • You are as ignorant as you are pathetic. A masterpiece.

      • Mrs. Emma Jean Sporkens

        To me, if the inventors of this programm allowed it to be used for harm, then there motive is clear.

        What is a doxx?

        Emma Jean

        • Doxx is plural of dox. As in, get your doxx in a row. In this case, row is pronounced raauw, because it all cause a bit of a stink.

  2. You can be sure that the money will reach the organizations. The money is not transferred to the website, but directly from the people to a desired organization. Only the Paypal confirmation or similar will be published as proof that the person has donated money.

    There are also Facebook entries about the massive donations from the German krebshilfe. Last year there were so many people that the website went offline.

    At the first action the responsible person did not know what was going on. With every donation he receives an SMS on one day he has received several thousand SMS.

    https://m.facebook.com/story.php?story_fbid=2556348221059689&id=1405929412768248

  3. It’s true. The organisations published statements about it

  4. Answear to Dave

    lol Dave, serious question… are you dumb?
    There was never „a bunch of scammers“

    • Here’s my “answear”… yes, I’m equally as dumb as someone that can’t spell “answer” correctly.

  5. The Sunshine State

    Krebs is a disease on cyber criminals

    • Rube Goldberg's Razor

      Giving cyberthieves a nasty case of the Krebs, eh? No, wait – a digital-age remake of the Stallone vehicle Cobra: “You’re the malware (aims keyboard, hits enter) . . . I’m the patch!” (Fade to blue screen of death)

  6. Change it to Mr. WOLFMAN.
    yuk, he he.
    No confusion.

  7. A good story, pleasing much.

  8. Fabulous humerous twist on a story. Even cypercrooks have a sense of humor and use it to try to twist around who is the villain.

  9. To maybe give some insight into what happened from a pr0gramm-user’s point of view.

    Krebs published the name of the creater of CoinHive. That’d be illegal in Germany, and rightly so, but fine, I guess he deserves it.

    The CoinHive creator was the former administrator of pr0gramm.com. The current administrators of the site know him, but were not involved in the creation of CoinHive. They did allow him to test CoinHive on their platform, however the users were not scammed – they had to open a dedicated link and thereby consent to the utilisation of their resources. It was actually framed as a game, where you could deliberatly dedicate your computing resources to “feed admins”, as it were, and earn “pr0mium” time. All of this contributed greatly to the view among us pr0grammers that Krebs had done the current administrators injustice. Hence the protests.

    Make of this what you will, but given that CoinHive itself is not the problem, but its abuse by actual scammers, I find it unjustified to publish the names of the current administrators. Doxxing is generally a shady tactic, but it’s detestable when done to people who have done nothing wrong.

    • CoinHive itself WAS the problem. The owners relied on scammers and they knew damn well that that was where a majority of their income came from. And, to top it off, when someone reported an account of a scammer, CoinHive then disabled that accounts token, so the scammer no longer got paid, but instead started pocketing that scammer ill gotten gains themselves. Once exposed and once the scammers left the site, they were forced to shut down. Their entire success was built upon facilitating cybercrime.

      • What he meant by coinhive wasn’t the problem is, that it wasn’t the problem that caused outrage by the community. It was caused because Brian had published information that was simply wrong e.g. saying that the community got overrun by far-right people.

        The community is very diverse with every point of view represented on it. If the mayority of members would have thought that the accusation Brian made were right or at least nececarry for the article, there would’ve been no such protest against him.

    • I’ll not convinced there wasn’t some kind of kickback going to the board owners from Coinhive dude. Nobody allows something like that without an incentive or vested interest.

  10. Measure for Measure

    From Krebs’ original article:

    “What does Coinhive get out of all this? Coinhive keeps 30 percent of whatever amount of Monero cryptocurrency that is mined using its code, whether or not a Web site has given consent to run it. The code is tied to a special cryptographic key that identifies which user account is to receive the other 70 percent.”

    So Coinhive took a commission off of any activity, legal or otherwise. ISTM that they were definitely part of the problem.

    Also from the article:

    “Let me be crystal clear on this point: All of the data I gathered (and presented in the detailed ‘mind map’ below) was derived from either public Web site WHOIS domain name registration records or from information posted to various social media networks by the pr0gramm administrators themselves. In other words, there is nothing in this research that was not put online by the pr0gramm administrators themselves.”

    That doesn’t look like a Dox to me.

    • Coinhive was a company. And companies have to make money. So it’s not wrong to charge a fee for a service that you provide.
      It’s no difference to ad-placements on hacked sites. These agencies can’t prevent misuse either. There isn’t really a good way to validate rightful ownership of thousands of websites…

      • Nobody knew Coinhive was a German “company” until my story, after which it was forced to obey German law and list contact information on its site.

        As I stated in previous stories on this subject, pr0gramm’s co-founders were given an opportunity to respond to my questions, and they lied to me, and then proceeded to get upset when I printed what they told me. You can’t have it both ways.

        Also, if Coinhive really was a company, it should have no problems with a reporter naming its owner(s).

        • You’re inside these guys heads so much they want to charge you rent. It’s pretty hilarious. Keep it up!

          • Measure for Measure

            LOL.

            Dude. Krebs is a journalist. Reporting on various malware providers is how he makes his living. Coinhive isn’t the only bad actor, or even the most interesting one. The only thing mildly diverting are their hapless and ill-informed followers.

        • just because you think its ok to go about publicly naming them and dropping info in regards to them does not necessarily mean that you were right, or legally backed by doing so

        • Don’t you think to breakt the german law, §186 to §187 StGB is a little unlawful? You are a journalist not a judge.

          https://dejure.org/gesetze/StGB/186.html
          https://dejure.org/gesetze/StGB/187.html

          May you can make a better investigation, before doxxing somebody and if you find an criminal, you should infor the officials. You are not allowed start a kind of hounding, only for fame and money.

          Best regards

  11. Funny to think that in under 2 years, the EU will be partitioned from the rest of the Internet due to Article 13 legislation.

    The EU will be placing themselves behind a new Cyber Iron Copyright Curtain.

    • even funnier to think that if in a few years, the us adopts something similar to article 13, krebs wont be able to publish stories like this where-in he doxxes individuals over mere speculation with no technical evidence, because he will be in violation of the law by doing so.

      • Clearly, “article 13” is a European dog whistle. It has absolutely zero to do with aggregating publicly available information on people. Which is not and has never been doxxing.

        • when a good amount of the information was obtained from attempting to contact them, yet there were no requests in regards to wether or not the information could be published, let alone credibly verified, he’s basically just given them the leverage they would need to come after him under article 13

      • “the us adopts something similar to article 13, krebs wont be able to publish stories like this where-in he doxxes individuals over mere speculation with no technical evidence, because he will be in violation of the law by doing so.”

        wenn Krebse pfeifen 🙂

        • Article 13
          EU GDPR
          “Information to be provided where personal data are collected from the data subject”

          => Article: 30
          => Recital: 60, 61, 62
          => administrative fine: Art. 83 (5) lit b
          => Dossier: Obligation, Transparency
          1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
          (a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
          => Dossier: Representatives
          (b) the contact details of the data protection officer, where applicable;
          => Dossier: Data Protection Officer
          (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
          => Dossier: Purpose (Binding)
          (d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
          => Dossier: Legitimate Interests (Controller)
          (e) the recipients or categories of recipients of the personal data, if any;
          (f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

          under article13, in this scenario since krebs is the responsible party whom sought out the data, that makes him the controller in this situation, so he can be held liable for violation of article13 now for not following the appropriate outlined policies.

          • The solution will be easy: for users connecting from EU, Brian will have to show a banner: “Sorry, because of legislation in your country, you are not allowed to access this page”. Like it is already happening with US websites. It’s great to have mammy EU who protects me from the dangers of internet.
            As someone above wrote, eu is step by step, placing itself behind a cyber iron copyright curtain.

      • Kerbs didn’t “doxx” anyone. The information was already publicly available on the internet, which by definition is not doxxing but called doing a little digging aka as research!

      • Kerbs didn’t “doxx” anyone.
        The so-called private information was already publicly available on the internet, which by definition is not doxxing but called digging AKA research!

  12. Cool outcome. Did Brian get a t-shirt?

  13. Off-Topic. This morning I got another in a long line of “Apple App Store” invoices. Nothing unusual. Traced the domain to web hosting company.

    Contacted them via a web form and received an acknowledgement email to my account at 09:13 local time. At 09:18 local time I received a second email, which reads, “Thank you for contacting {hosting company}. The domain was disabled.”

    My question is: does that seem a bit suspicious? Would a typical ISP be able to carry out sufficient checks [i.e. examine outbound email volumes], speak with the domain client and render a decision in 5 minutes? Or does that maybe look like the hosting company could be part of the problem?

    Brian – if you’re reading this and interested – the email address I recorded with this post is valid; you’re welcome to contact me and I can forward the emails in question [along with scrapes of headers] for your reference.

  14. VIRGIL D HOFF

    thank you again for your diligence in a more than confusing world

  15. Coinhive shutting down, cash flow dried up. huh?

  16. These shady guys donating money to charity makes me think of them in the same light as Al Capone sponsoring a soup kitchen for homeless folks.

  17. I made use of coinhive. In and of itself it was a good service for me. I gave processor time for rewards. Sad that bad hombres gave it a bad name. Fortunately the Germans, like the French, have had about enough of losing their autonomy. Keep fighting the good fight Brian, you are making a difference.

Leave a comment


#####EOF##### Online Banking Best Practices for Businesses — Krebs on Security

Online Banking Best Practices for Businesses

The best way to avoid becoming a victim of a cyberheist is not to let computer crooks into the computers you use to access your organization’s bank accounts online. The surest way to do that is to maintain a clean computer: Start with a fresh install of the operating system and all available security updates, or adopt a “live CD” approach (explained in more detail below).

-Use a dedicated system to access the bank’s site. The dedicated machine should be restricted from visiting all but a handful of sites necessary to interact with the bank and manage the organization’s finances. This can be done using custom firewall rules and hosts files, or services like OpenDNS. Remember that the dedicated system approach only works if you *only* access your bank’s site from locked-down, dedicated machines. Making occasional exceptions undermines the whole purpose of this approach.

-If possible, use something other than Microsoft Windows. Most malware only runs in a Microsoft Windows environment, so using a different operating system for the dedicated machine is an excellent way to drastically reduce the likelihood of becoming a cyberheist victim. A “live CD” is a free and relatively painless way to temporarily boot a Windows PC into a Linux environment. The beauty of this approach is that even if you fail to maintain a clean Windows PC, malicious software can’t touch or eavesdrop on your banking session while you’re booted into the Live CD installation. For more information on how to set up a live CD for a dedicated machine, see this primer.

-If you must use a multi-purpose machine where you will check email, avoid clicking links in email (see previous tip). Also, set email to display without HTML formatting if possible.

-If you installed it, patch it. Keep the operating system up-to-date with patches. It’s equally important to update the third-party software on your system, especially browser plugins. One leading cause of malware infections are exploit kits, which are attack tools stitched into hacked Web sites that exploit unpatched or undocumented vulnerabilities in widely-used browser plugins. Tools such as File Hippo’s Update Checker and Secunia’s Personal Software Inspector will alert you to new security updates available for third-party programs installed on your PC.

-Remove any unneeded software from dedicated systems used to access the bank’s site. In particular, unneeded plugins (such as Java) should be junked.

-Avoid opening attachments in email that you were not expecting. Be particularly wary of emails that warn of some dire consequence unless you take action immediately.

-Use a bookmark to access the bank’s site. Avoid “direct navigation,” which involves manually typing the bank’s address into a browser; a fat-fingered keystroke may send you to a look-alike phishing Web site or one that tries to foist malicious software.

-Remember that antivirus software is no substitute for common sense. A majority of today’s cyberheists begin with malware that is spread via email attachments. Many of these threats will go undetected by antivirus tools in the first few days.

-If your financial institution offers it, consider taking advantage of ACH Positive Pay. Any item that meets the criteria you establish will automatically post to your account. Your company will be notified via email and/or text message of any rejected electronic item(s) that do not meet your filter criteria. Upon receipt of the rejected items, you can then return them or conveniently add filter criteria for future electronic transactions.

-Require two people to sign off on every transaction. This fundamental anti-fraud technique can help block cyberheists (and employee fraud).


#####EOF##### Patch Tuesday, March 2019 Edition — Krebs on Security

13
Mar 19

Patch Tuesday, March 2019 Edition

Microsoft on Tuesday pushed out software updates to fix more than five dozen security vulnerabilities in its Windows operating systems, Internet Explorer, Edge, Office and Sharepoint. If you (ab)use Microsoft products, it’s time once again to start thinking about getting your patches on. Malware or bad guys can remotely exploit roughly one-quarter of the flaws fixed in today’s patch batch without any help from users.

One interesting patch from Microsoft this week comes in response to a zero-day vulnerability (CVE-2019-0797) reported by researchers at Kaspersky Lab, who discovered the bug could be (and is being) exploited to install malicious software.

Microsoft also addressed a zero day flaw (CVE-2019-0808) in Windows 7 and Windows Server 2008 that’s been abused in conjunction with a previously unknown weakness (CVE-2019-5786) in Google’s Chrome browser. A security alert from Google last week said attackers were chaining the Windows and Chrome vulnerabilities to drop malicious code onto vulnerable systems.

If you use Chrome, take a moment to make sure you have this update and that there isn’t an arrow to the right of your Chrome address bar signifying the availability of new update. If there is, close out and restart the browser; it should restore whatever windows you have open on restart.

This is the third month in a row Microsoft has released patches to fix high-severity, critical flaws in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”).

These are severe “receive a bad packet of data and get owned” type vulnerabilities. But Allan Liska, senior solutions architect at security firm Recorded Future, says DHCP vulnerabilities are often difficult to take advantage of, and the access needed to do so generally means there are easier ways to deploy malware.

The bulk of the remaining critical bugs fixed this month reside in Internet Explorer, Edge and Office. All told, not the craziest Patch Tuesday. Even Adobe’s given us a month off (or at least a week) patching critical Flash Player bugs: The Flash player update shipped this week includes non-security updates.

Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A good backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Further reading:

Qualys

SANS Internet Storm Center

Ask Woody

ZDNet

Tags: , , , , , , , , ,

47 comments

  1. The Sunshine State

    Is “Servicing stack update” (KB4490628) for Windows 7 SP1″ more Microsoft tracking?

    • The Servicing Stack update is not a telemetry update; it is necessary to ensure that you’ll receive the SHA-2 -based patches in the future. (I believe those start in a couple of months for Windows 7/Server 2008 R2.)

      For those not seeing the Servicing Stack update – you won’t see it until you apply or hide everything else in the queue.

      • My Windows 7 Ultimate 64 bit, update is trying to install that KB number again, despite showing that it is already installed successfully. MS updates are sure getting buggy.

        • Interesting…as Arte Johnson used to say. I also have 7/64 and usually wait until Friday or Saturday to install the updates. This month, the downloads from the Microsoft Update Catalog were slow and spasmodic…which I don’t recall happening before.

    • It seems to do quite a bit, people tend to say it’s quite a large topic to cover. From what I read on a forum post and the Microsoft-issued update log, one function is it assisting during Windows Updates. It’s also supposed to fix update corruptions.

  2. Eric Rosenberg

    Of my two machines automatically updated, one is fine, the other is DOA. I can’t past the BIOS to change the boot sequence to boot up from the recovery USB. It hangs on the manufacturer (HP) logo. No Windows, no nothing. Not sure what to do next!

    • Windows 10 or 7? Try holding F8 as it boots to see if you can get into safe mode. There are also tons of Microsoft forum posts that can help.

    • Getting into BIOS happens before the OS even starts to load. Disconnect all peripherals (except keyboard and mouse) and make sure you are hitting the correct key (F10, F1, F2, Escape) to get into BIOS. May need to turn off “Secure Boot” to change the boot order.

    • There could be a peripheral (external hard drive, printer, etc.) plugged into the computer, which is causing things to get stuck. Try unplugging all of the peripherals and boot up again.

      Good luck.

    • HP used to include some pretty good recovery software for such events. If you can get to the HP web site for your model of PC, you could check the user manual for the procedure. Windows 10 may have changed all that, because it has some pretty good recovery options as well – but there are many different avenues to attack the subject, so the advice here to consult the MS support site are very valid.

    • Disconnect your PSU, and Take out your CMOS battery for 5-10 minutes and put it back. That’s what I had to do.

  3. I was called by “Microsoft” yesterday (really a robo call) that explained there were critical patches and they even referenced the Microsoft site and phone number. I had the option of talking to an engineer so I pressed 1. Some one picked up and asked how they could help me. After I asked which department they worked in at Microsoft they hung up. I assume they would’ve tried remoting in or asking me for sensitive information.

  4. I had no issues with this month’s patches/updates being processed properly on either W7U or W10H machines, thankfully.

  5. KB4490628 is trying to install again, despite the history showing it installed successfully already. I’m not sure it is worth a call to MS to even bother with it. I’ll just leave it in the queue for a while to see if MS ships another fix for a buggy update. Seems that is the MS way now days – send buggy updates then send a fix afterward – geeze!

    At least I didn’t have to contend with that 1809 disaster that my sister had to deal with on Windows 10!

  6. I did the auto-install of the updates on my HP h9-1183 running Win7 Premium and it killed my video. I was able to view the usual menu with Ctrl-Alt-Delete, but aside from that it was a black screen (no cursor) after Windows loaded. All this was preceded by Chrome failing to run (looks like it is up to date, per your warning), at which point I rebooted and that’s when the video failed. Rolling back the security patches (4489878 and 4474419) restored the video (and Chrome).

    • Allan,
      If your video failed how were you able to back out the two updates? Safe mode?

      • John, correct, rebooted in safe and then did the roll back. And all I had to roll back were the security patches. Might have gotten away with just one of the two, but haven’t tried individual installs of each to see if just one is the offending update, or if it’s both.

  7. The correct Google Chrome version is 73.0.3683.75 as of today. On a side note, I don’t get an arrow on the address bar, or any other indication that Chrome has an update pending. My update notifications usually come from US-CERT via email. I usually click on the Hamburger -> Help -> About Google Chrome on all OS flavors to perform the update.

    So far no problems detected on Windows 10 Enterprise from this update.

    • Thanks for that! I didn’t realize, and got caught with my pants down – so to speak. Chrome is usually better than that. Not even my software updater caught it.

  8. This patch caused lots of problems on my laptop.
    The first was a series of repeated error messages about being unable to access the wacom driver. I eventually had to plug a wacom tablet in to get past those, but when the desktop started to appear it was extremely slow.

    It’s a little better now, but still very slow to boot up and shut down with noticeable lag opening programs like Word and Gimp, and in opening files with those programs.

    I haven’t tried to use any tablets yet. Word threw up an error when I first tried to use it, but eventually started to run.

    And, of course, the whole process made me late for work because I’d only intended to turn on for 5 mins to google something. 45mins later I was able to power down and go out.

    It’s an HP G50 laptop

  9. Immediately after Tuesday’s update, a lot of my text (in email and on various sites) appears faded and portions of the letters are missing to the point it is unreadbale. Anyone else have this problem or know a fix?

  10. This patch is killing me. Two machines running Win7 Pro on automatic updates have hung in an endless loop of “Configuring Windows – Do Not Turn Your Computer Off” warning messages. The machines never actually boot …

    • At this point I’m reasonably convinced that Microsoft is … maybe not directly sabotaging Windows 7, but being so incredibly awful about support and quality and regression-checking updates that it’s reasonable to believe that they’re punishing anyone who has the temerity to not switch to Windows 10 on their schedule.

      • Microsoft issued a reminder among those KBs that states the Win 7 will be out of support since February 2020.
        I’ve dumped SHA stack KBs though, as when I figure out that I need them, I know where to get them.

    • Had same problem. CTRL-ALT-DELETE gets you in.

  11. As far as DHCP abuse goes, many business-grade switches have a function that blocks rogue DHCP servers. It’s a good idea to use this functionality regardless of this specific issue.

  12. I’m curious what problems enterprise users are having if they do a “one shot” patch application ot all their Microsoft product. Are the problems mainly browser related, small components, or all over the map? How many of you are able to apply all patches simultaneously without incident?

  13. PC killed (win 7 64). Thanks to Microsabotagesoft. After UEFI it goes into system repair loop. No safe mode. SFC and offline iso DISM won’t work.

  14. Just out of curiosity… (No sarcasm implied) why are ya’ll still running Windows 7?

    • Windows 7 isn’t perfect, but it was one of the most stable, secure, and easily used versions of Windows, when it was introduced. A great deal of money and time was spent integrating Windows 7 in the modern workforce.

      Entire industries evolved around Windows 7, don’t forget. Much of “Internet 2.0” was built on computers running Windows 7. The growth of healthcare informatics was integrated with secure software designed for Windows 7. The proliferation of high speed Internet was fueled, in part, by inexpensive computers in every school and small business, all on the back of Windows 7.

      Since Windows 8 and 10 are cosmetic updates to the user interface and fairly minor changes that don’t affect the core purpose or functionality of Windows, it’s hard to argue for major investment into converting older systems to use 8 or 10.

      Many of these readers may want to upgrade their systems to Windows 8 or 10, but they don’t want to abandon other software or equipment that were designed to be used with Windows 7.

      There’s no sense in eating a hen that still lays eggs. The same goes for cows that still produce milk and replacing Windows 7.

    • It started out with Windows 10 being a complete dumpster fire when released. My honest impression is that it was so bad that I thought it was Microsoft’s passive-aggressive way to get out of the desktop operating systems business. There’s nothing that says “professional work environment” like Microsoft whoring out your desktop for the latest crapware version of Candy Crush or whatever. They took all of the horrible problems associated with their “monthly service pack” approach to Windows Update and somehow made those a hundred times worse (and ten times slower) with a container store system that breaks every few months and almost always requires 1-2 technician-hours to fix (we’re getting better at automating this, but the amount of work has been insane – it’s like all of the tools involved were specifically designed to resist scripting). The UX is somewhat better than Windows 8/8.1, in a desultory way (“Ok. Fine. You can have your start menu back. But our feelings were really hurt, so we’ll still use tiles for no obvious reason and bury the far more useful Pin-to-Taskbar function another pop-out menu deep.”). Then there’s the whole “you’re getting a mandatory point-release OS update every six months, no matter how stupid that is in a business environment that’s more concerned about stability and UI continuity than it is about having a better version of Minesweeper”… or you can buy Enterprise Edition ($$$) plus Software Assurance ($$$) and we’ll deign to let your use the LTSB version that we made that only you ridiculous troglodytes who insist on avoiding the trendy new continuous release paradigm (translation: everything is early beta quality, forever, get used to it) have any interest in.

      It’s like the executives at Microsoft went to an astronomical degree of trouble and expense to graft more arms onto themselves so they could give us the finger with eight or nine hands at once instead of just two. So, please humbly pardon us if we weren’t just aching to get with the program.

  15. Running Windows 7 Home Prem 32 Bit. Was unable to run System Restore after January 2019 updates. Had to restore back to a system image using a recovery disc & then did not try to re-install January updates. Had no problem with Feb updates, but ran into the same system restore problems with March updates & so I restored back to a system image once again. Jan & March updates causing slow down issues & some funky issues with my desktop Icons. Do not like these updates disabling my System Restore, thus I am doing a complete Backup & System Image from now on immediately before installing any more Microsoft Updates so if I need to restore my system using a system image, I wont lose a bunch of data

  16. New windows updates (March 12/2019)has given me the blue screen with the notation (Driver IRQL not less or equal(afd.sys) and system reboots. Have uninstalled update and everything works fine. Installed on 3 different occasions and each time I get the blue screen, so I am left with not installing this update. What’s the fix if any?

  17. Issue resolved but not exactly sure how I did it. I did 3 things…………disconnected all USB ports………printer may have been wonky…………I installed a new update for java………..I rebooted computer 2 times…………all done after new update installed ……….one of these worked………..not sure which one did the trick.

  18. Question:
    Is a machine “protected” from Google Chrome Vulnerability as long as this Microsoft update KB4489878 is installed or Google Chrome 72.0.3626.121?

  19. Much as I’d love to update this HP Windows 10 desktop machine, it’s been stuck at Windoze 10 v1703 forever. It cannot update to 1803 (at all, never mind the patch fixes) due to an issue with “Infineon TPM Professional Package can’t be uninstalled,” and if you can find that blasted thing on this machine, you’re a better man than I.

    All my other machines are fully up-to-date; this one is stuck in the weeds, despite many sessions of researching the problem on the Intertubes and trying various solutions: searching for certain folder names, filenames, MSConfigging and whatnot. Having MS tell me (in their error message) that I must manually uninstall the thing because their procedure cannot does not fill me with confidence. One of these days I’ll figure it out.

    • Have you tried to install 1809 directly through use of the MS creation tool to produce the updated image on a USB drive for installation? That worked (finally) for me on a Toshiba netbook with a 32Gb SSD after nothing else had, and 1809 installed properly that way.

  20. It can be difficult to find the coupon codes you want when you need them most. Here are some quality websites dedicated to finding discounts and collecting

  21. Well we are experiencing huge problems with Office/SharePoint. All of a sudden 9 out of 10 documents opens in Read-Only mode with no option to turn it off. This is when opening from IE. Opening the document in OOS (browser) works fine but not in desktop application.
    Using Explorer in SharePoint to edit the document works fine, but clicking the link to edit the document does not.

    Using Chrome…no problems.
    Anyone experiencing the same problems?

  22. google plus account

    Thank you for that info.

  23. Hello
    This last update borked my girlfriends computer, She let it update and went to her mothers. When she came back she was getting a no signal on the screen.
    After rebooting it still said no signal….Being the geek i am i went through all of the obvious things checked the cables tried the onboard video unplugged the drives to see if one went bad tried a different video cable checked all of the wiring inside and out still no boot into bios no sounds no bad codes simply No video input detected. the board is a Z87Pro with a 4790k intel 16 gigs of ram ….oh i even moved the ram and tried one at a time. She is a casual gamer conan ark and a few others the computer has been fantastic up until that update and now this. Yes we have tried the battery and the bios reset switch on the board to no avail…..any ideas? and thanks for reading the rant lol.

Leave a comment


#####EOF##### Sources: Target Investigating Data Breach — Krebs on Security

18
Dec 13

Sources: Target Investigating Data Breach

Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.

target

Update, Dec. 19: 8:20 a.m. ET: Target released a statement this morning confirming a breach, saying that 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013.

Original story;

According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.

Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment.

Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.

“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”

There are no indications at this time that the breach affected customers who shopped at Target’s online stores. The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.


It’s not clear how many cards thieves may have stolen in the breach. But the sources I spoke with from two major card issuers said they have so far been notified by one of the credit card associations regarding more than one million of cards total from both issuers that were thought to have been compromised in the breach. A third source at a data breach investigation firm said it appears that “when all is said and done, this one will put its mark up there with some of the largest retail breaches to date.”

Some of the largest retailer breaches to date may help explain what happened in this case. In 2007, retailer TJX announced that its systems had been breached by hackers. The company later learned that thieves had used the store’s wireless networks to access systems at its Massachusetts headquarters that were used to store data related to payment card, check and return transactions at stores across the country, and that crooks had made off with data from more than 45 million customer credit and debit cards.

In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

This is likely to be a fast-moving story. Stay tuned for updates as they become available.

[EPSB]

Have you seen:

Cards Stolen in Target Breach Flood Underground Markets”…Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.

[/EPSB]

Tags: ,

620 comments

  1. Does anyone know if the card number of a Target Red Card should be changed that is just withdrawing funds from a checking account? I imagine so huh? Unfortunately I cannot get thru to Target to do this and the only way is via phone…..

    • It’d be a good idea to get a new card. In the meantime, keep a close eye on your checking account. If necessary, you could close your checking account, and get a new one.

      I would think it’ll be easier to get through to Target by phone in a few days. I was able to use the automated system to request a new Target credit card today, though I had to call a few times before I was able to get a connection.

      • Why the hell would you want a Target card or ever do biz w/them again?? Lawsuits are now being filed nationwide. If anyone has to do biz w/ Target, pay cash; never trust them again for security same with TJMaxx.

  2. Target is saying that only the customers “In-Store were affected but I made a purchase on December 2, 2013, through Targets ONLINE store, and my debit card was compromised. My Bank has confirmed that my card was compromised after making an ONLINE purchase @ Target. The “unauthorized access” impacted ONLINE customers as well.

    • Your card could’ve been compromised in a different breach, or intercepted online.

      You shouldn’t use a debit card to make online purchases. Use a credit card instead. That way, if fraud occurs, you won’t be out any money (assuming you look closely at your monthly statements).

    • Target is apparently lying about this (online purchases)!! I just cancelled my bank debitcard to reissue new. Get involved with the class actions going on nationwide; they deserve to pay. Use cash from now on or shop elsewhere. Target cannot ever be trusted with security and neither can TJ Maxx. We need to get chip cards as magnetic strips are dated technology.

    • I think some people are trying to say their accounts were hacked just to TRY and get out of paying their bills or are trying to use a situation to get free money. Banks are one step ahead of that game

      • Maybe some are? I can surely tell you that I shopped at Target right before the holiday weekend and after the holiday weekend and besides my red card other cards were affected with charges to Iceland, Turkey and some other country that starts with a B

      • Trying to get out of paying our bills?? So you really think a person would go through this hassle to inform the bank that they had fraudulent charges when they really didn’t? You must not have gotten up one day to check your bank account to find that hundreds of dollars were missing. If you did you would not have made that statement.

        • Oh yeah you can add the country of Cyprus to my list of foreign countries!!! Not to mention I haven’t traveled anywhere out of Southern Cali

    • I believe it happened on a much bigger level beyond target that might have been the retail giant that was hit, Target sent me a note yesterday that they are sorry for the matter non chalant REALLY!!!

      But I also think it happened somewhere else other machines and devices too or via online

  3. Something interesting –

    I had shopped in Target on Dec 12th and used my Target Red card (credit). I checked the activity yesterday via the 800 number and the 12/12 purchase was there, but thankfully no fraud has occurred yet.

    When I checked today, the 12/12 purchase was not there! I wonder how that happened?

  4. I took this picture on 12/11.. By coincidence the ATM machine had crashed. I posit is it possible that these machines were also hacked ?

    https://twitter.com/ftribaldos/status/411682484875579392/

  5. Should we change our credit card numbers? My credit card bill is paid for through my checking account. Is this compromised also?

    • You can put a free 90 day credit alert on your account, and get credit reports for free at https://www.annualcreditreport.com
      The credit alert means that any new accounts opened require a phone call to you to verify the new credit account. Also they are not supposed to mail you credit card offers.

      Check activity on your accounts by logging in to your cc websites, or calling the providers. Do you know you used a card during the timeframe at Target?

      If you know you did use a card at Target – or there is unexplained activity on your card, then have the card company issue a new card. Go through your statements to update any recurring payments that might get fouled up. (Also helps to check Paypal and Amazon cards on file.)

      Bogus credit card charges will be covered by the card companies, if you notify them in time. (I am not sure what protection you get on debit cards with a Visa insignia.)

      • Oh, regarding the bank account. No its not compromised, but it could definitely be affected if you’re not paying attention. I don’t like autopay for that reason.

      • Bogus credit card charges are NOT covered by the card companies, the cost is put upon businesses that these cards are being used at, including small mom and pop shops like ours. The banks give us charge backs and we lose the merchandise as well. The banks bear non of the cost.

        • This statement is not correct. All fraud loss in a face-2-face sale using counterfeit cards is a loss taken by the bank that issued the card.

          If a card is stolen and it is used for a non-face-2-face (CNP) transaction the loss falls on the retailer. In this case, The full mag stripe data (track 1 & 2) was stolen. The fraud asters in most case would need the Security code on the back of the card for Internet sales, which was not stolen.

          So 100% of the losses for fraud are born by the banks, which currently in the U.S. Is several Billions of dollars annually.

          If the merchants had the risk we would see more asking to see valid IDs at the point of purchase and fraud stoers would not be purchases tens of thousands of Gift Cards at self service counters. I personally have cloned my debit card onto a hotel key and used it at every major retailer with no problems.

          If the merchants placed more emphasis on if the card was actually owned by holder, especially for Gift Card sales we would see fraud losses drop dramatically, but because they have “zero” liability fraud stoers can and do shop with complete impunity.

          • Sorry for the spelling. Not a fan of “spell check” on my ipad. 🙂

          • Rick

            I wish you were right about the face to face transactions being ate by the issuing bank but that is not true. I operate many retail brick and mortar locations and we are plagued with card backs from stolen or fraudulent cards. In almost all cases the retailer eats the fraud.

      • Fred Hefflefinger

        This hacking is going to expand rapidly. My account was hacked, a chase mastercard and I did not make a Target transaction in the so-called time frame they are claiming. My transaction was November 8. (cleared Nov 10).

  6. I’m currently on hold with Target now…..a little over 2 hours. My question is…..I signed up for the RedCard credit card during that time frame and in doing so……you enter all your information to qualify for the card on the screen of their “swiping” machine…including social security number and birth date. Is all info entered into the machine compromised as well…..or just the cards that were actually swiped through that machine?

    • Its very difficult to say weather your identity information could have been compromised during that time period or not based solely on the media reports. What I would suggest you doing if you are concerned about it, is performing a credit freeze to your credit accounts. The process is pretty straight forward and depending on your state would be something you would pay for, something like 1 – 15 dollars per credit account. The way a credit freeze works is, you freeze your credit with each bureau and when you are ready to need to apply for a new account you need to ‘thaw’ it a few days prior to requesting the credit. It can be a pain, but it also prevents people opening accounts in your name and applying for new credit. I would love to hear weather the pin machines which held your information where part of this compromise so that advice would be much more clearer to individuals.

  7. With nearly every store involved, this has to be a Target inside job. Hearing that TSS India handles Target’s credit processing leads me to suspect they are the source of this breach. It will be one or a few corrupt employees that did this.

  8. While this may be coincidence, the last time I shopped at target was on November 25th, and my card was just compromised (luckily my bank caught it.) I wouldn’t be surprised, and it might be worth for Brian to take a look, at whether the breach in fact started earlier than they’ve admitted so far.

    • I expect the window to get bigger. Unless they have identified the source of the breech, the only way to identify the when, is by the cards compromised, and there’s just no way to know until all those cards are in the open.

  9. I used my credit card from South Africa and we have a ‘chip’ on the card..will that affect the ability to clone or copy the card for use?

    • You have a card with a chip, which is great. But from what I understand Target’s POS systems are not designed to interface with the chip in your card. It sounds like the Magnetic strip data on your card could have been compromised. But you would have to ask your issuing bank whether that poses a risk to your account.

      I would check because here in the states there is a greater emphasis on using software to check transactions for validity. Your banks may not place such an emphasis on verification where the rate of fraud is lower. Also, your rights as a card holder will be dependent on local regulation. It’s worth Skyping your bank…

      • Since very few places in the US support chip on card (target does not) then yes your card is at risk. The mag strip is kept on the card for backwards compatibility for use in places where you can’t “dip” your card such as your use in the US at target. IMO it is worth canceling the card to be safe.y card was used I’m the window of compromise and despite not seeing and fraud yet I am canceling my card on Monday. The trouble to cancel and get a new card is far less than the hassle of dealing with fraudulent charges, especially if its a visa / MC bank card. While your protection is the same as if its a credit card, that hassle becomes a bigger impact when you’re dealing with disputing charges that have taken money out of your bank account vs just charges that are billed to a credit account that hasn’t taken actual funds away. Either way the charges will be reversed but banks are much slower to replace funds than take money out of your account!! It’s just extra hassle if you’re hit with fraudulent charges when it can take a week or more to get that money back in your account.

        I HIGHLY recommend every person that shipped in that window of time preemptively cancel their cards before fraud hits. It could be months before your card number is sold and reused fraudulently.

  10. I just happened upon this site after a Google search into the “Target breach” since I have spent all morning on the phone to no avail. I just checked my debit card statement – I have not been in a Target since 11/10/13, and my card info was used on 12/19 for 11 fraudulent transactions. I see where other people state they’ve had issues outside of the 11/27-12/15 window – how can Target not know which dates’ swipes were breached and claim to have “solved the problem”? I know others keep saying “you don’t know when your information was taken” and “you don’t know that this was the same group” to those outside of the press release timeframe, but I’m not huge on coincidences – regardless of where else we shopped and when, we all shopped at Target, whether or not it was post-Black Friday.

    • +1

    • You are lucky. The breach prevented you from going into credit card debt more. #goodexcuse

      • It was a debit card, actually. I’m fairly good at managing money as long as I don’t go pick up toilet paper and body wash and find out six weeks later that it cost me an extra $600… Thanks for the well thought out advice, there.

    • I have keet all of my cards in a RFID container in my purse for the last 3 years. It was 3 years ago when someone used my card to purchase a $700 plane ticket. Since I have had my cards in the RFID container I have had NO fraudulent transactions on my card. Then Dec 23 I went into Target and used my card. On Dec 24th someone used my card fraudulently at ToysRUs for $368. Coincidence? Well this is outside the Dec 15th supposed end date of the Target breach. I have spoken to many people on Twitter who reported going to Target Nov 10th and other dates before the Nov 27th reported breach start date and then they had fraudulent charges on their card. So, has Target been honest with the public about the containment of this breach? Is it ongoing? Did they not want to say the breach is still active so they won’t lose Christmas profits? I need these questions answered. I want Target to be honest with Americans and if they are found to be lying and allowing the public to use their credit cards knowing they have not contained the breach, they MUST be held accountable. I called the FBI today to advise them of my experience, that I had not used my card at Target for MONTHS, then used it on Dec 23rd and then fraudulent charges appeared on my card Dec 24th. A woman FBI agent told me that the hackers may still be at work. Well, if my fraudulent transaction was caused by Target, then their breach is ongoing and not contained. Who pays for the fraudulent charges? The banks. Who pays for the credit monitoring? Target. So what has Target got to lose when allowing a breach to continue through Christmas? This is outrageous! I felt safe to use my credit card there on Dec 23rd, but having a fiance in college seeking a cyber security degree, and learning the material with him, I should have known not to use my card at Target. What an idiot I am.

  11. My husbands card was flagged as compromised yesterday (Dec 20) after swiping it at Target. They also cancelled mine . Always nice to be at the fuel pump and see card declined and have no access to funds until Monday. Couldn’t finish last minute Christmas shopping… Thanks Target.

  12. I think Target got what it deserved. For years the majority of fraudsters I have seen were making purchases with gift cards from Target. As far as I know Target doesn’t care if their stores are being used as conduits of criminal activity as long as it doesn’t take a loss. And this is true of most retailers and banks; they just don’t care. The retailers aren’t taking the loss, and the banks just absorb the losses. Then frauders turn around and flood urban communities with drugs and guns from the profits they make from using counterfeit credit cards to buy gift card, then return or selling the merchandise.

    • I used my card on Target on December 18th. Am I alright?

      • I used mine on Dec 23rd and it was fraudulently used on Dec 24th. I had not used it at Target for months. I have spoken to others on Twitter who have stated they went to Target before and after the reported breach dates of Nov 27 – Dec 15 and their card was fraudulently used. We MUST get the word out NOT to use your card at Target. My prediction is that we will find this is bigger than we thought.

  13. I would be interested to know how the breach took place. It was being initially reported as a skimming attack, but I can’t believe every Target stores credit card machines could have a skimmer attached unless it was some kind of zero day backdoor or secret chip install. That would probably imply a State sponsored attack and leave significant traceable evidence. I am assuming it is more that the conduit between Target and its merchant provider was hacked or that there was a systematic breach on the local stores. For instance, if store routers were setup with some sort of systematic password scheme that was found out by attackers they could be sitting on Target’s networks. However, I doubt we will every be told the truth about the details of the attack.

    • Its not a skimming attack. I think in many cases the term skimming has come to mean any theft of card data at time of use, regardless of if its a hardware skimmer or not.

      I doubt it is a store router compromise, its very unlikely that the card data went over unencrypted channels at the store router, and unlikely that the entire track data was transmitted. It would be a huge waste of bandwidth to be transmitting full track data to the bank, its not required.

      To have compromised every store, its likely to have been a POS compromise, either an exploit in Windows allowing a trojan, an exploit in the POS software, trojan firmware in the verifone PIN devices, or an OS / POS compromise at the POS server in each store….IMO the least likely (even tho itd be the most efficient) would be if the firewall / router(s) on the link(s) to their acquirer / bank were compromised.

      What will be most interesting, IMO, is to find out A) how they got inside the network (inside job or did they break in from the outside), and B) how they managed to distribute the hack to EVERY store undetected. Even if it was a Windows exploit allowing a trojan to be placed on each POS terminal, that kind of traffic /normally/ would show up….it would in our environment, unless they were able to get in and slowly distribute the trojan over a period of days.

      IMO State sponsored is highly unlikely. China is about the only one that would have a stake in such state sponsored attacks against a retailer, and those attacks are kept under very tight wraps, and dont involved CC data theft, they involved other data theft such as pricing, margins, suppliers, etc – data that could give a Chinese based company an advantage when working with a US retailer. For it to be a state sponsored financial attack, you would expect to see multiple large retailers hit all at once, and in a way that would disrupt commerce or banking in the US, destabilizing the financial sector in some way, or shaking consumer confidence.

      Dont underestimate the size, power, and ability of some of the Eastern Bloc countries such as Russia and former Soviet nations. While there may be better skilled groups in China and other Asian nations, the russian / baltic groups are generally the ones that are carrying out these attacks for financial gains, while the asian groups are generally doing it for state reasons, or other gains / disruptions.

      There has long been information out there that the Russian authorities have told the mob and cyber criminals that they will look the other way in these cases, provided that they never attack any interests that are based in Russia, and that they dont attack Russian consumers…..

      Also, considering the cards have shown up by sellers with russian cyber crime / mob ties, lends to this being a Russian organized crime attack of some sorts…

      • Here is my theory on the attack vector used in this breach……

        The idea for this attack vector struck me one day while shopping at a target. I went to the checkout and was asked for ID. I showed it to the cashier but was asked to remove it. As it was completely visible in my wallet window, I had to ask why. She stated that they have to scan the ID to bypass the age restriction lock. Paranoid about my data, I asked what would happen if I said no. She stated that she would have to get a manager to override. I opted for the manager override. Shortly thereafter, I began to research what data is actually stored on the back of the cards. Surprisingly, it seems that name, address, DOB, height, eye color, hair color as well as you drivers license number is encoded in that bar. I’m glad I didn’t let her scan it. I found out that the format used is called PDF417. I found a barcode scanner that could read this format and took a look at my ID. Sure enough, all of my data was there in plaintext. The security gears in my head began spinning. If this text is stored by Target, I would have to assume that’s its put in a SQL database. Knowing how sloppy some applications can be, especially when it is assumed that no one could possibly attack it, would it be possible to perform SQL command injection through this by creating your own barcode and affixing it to the back of your drivers license? There are a number of free PDF417 code generators online. Based on the assumption that there must be some sort of connectivity between the reader and the register, as the register has to pass the price, I believe that this may have been the attack vector used. Especially considering that there must be some level of security at the stores network borders.

        I’d be interested in hearing what the community thinks about this and if it would even be plausible.

        • HOLY CR@P Jason! I always wondered what was on that strip on a license! Thanks for posting!!

          • No problem. Wondering if you think this might be plausible? I’m very intersted in the amount of trust placed on the integrity of the data embedded in ID’s in all their forms. This could be an overlooked attack vector in many different circumstances.

  14. Thanks Ruberic and CJD on the response to the chip on the South African cards. It appears Amex blocked my card (without letting me know, but that is okay, rather that than having it used fraudulently). It does leave one up the creek though being abroad and having a card cancelled.

    We have those chips because there is such a large amount of credit card fraud committed by the Nigerians, so maybe they also have a finger in this pie.

  15. When someone writes an post he/she retains the plan of a
    user in his/her brain that how a user can understand it.

    Thus that’s why this article is outstdanding.

    Thanks!

  16. My debit/credit card was compromised and the bank cancelled my card. They assured me I could still write checks off my account until my new card comes in the mail. Well, the day before Christmas I wrote a check and the retailer said that telecheck denied it. I have never written a bad check and she I called my bank they said there was no reason for telecheck to deny it. Has anyone else been experiencing this? The retailer said they had this happen to four other people that same day who had been hit by the target scam.

  17. Anyone who has been a victim or knows someone who was a victim of the Target card scam, please visit this website: targetcardclassaction.com. At the site, you will be asked to provide important information that will be forwarded to a class action attorney. Thanks.

    • Setting up a phish net? I apologize if your website it legit, but a gmail address for people to send questions to? What law firm is behind this website?

    • This request smells so bad that no one should enter info here. No reference to a class action attorney that can be validated and requesting info that could be sold to buyers of the card numbers allowing them to forge accompanying identification info. If the date of purchase and amount was stolen for instance, it could be tied to the stolen card number.

      Sorry Mike Berkowitz of Huntington Valley, PA (assuming that’s your real name), but if your intentions were honorable, you offended my intelligence by your completely idiotic post. What guarantee would someone have that you could protect data if Target can’t?

      • I would not put any info on that page period I did some research on the actual matter and it belonged to an ip address with multiple weird names too it

  18. How about the people that applied for a Credit card at Target during that time?
    Was that information hacked too?

  19. I believe the breach began before Nov 27th and may still be ongoing. I used my card on Dec 23rd at Target for the first time in months and then on Dec 24th someone used the card at ToysRUs for $368. I called the FBI to tell them that maybe the breach may still be ongoing and not contained.

    • I believe it did too we are just learning about it now, not to mention that Target is speaking out the sides of their necks, first how can they assure us everything is okay when I spent a good part of today reaching out to my credit card companies and requesting new cards due to 6 of them had charges from Iceland and Turkey on them!

  20. This smells like a wireless network hack. Anyone running anything other then a Radius server for security on there wireless network is asking for trouble. WEP,WPA1-2 have all been hacked most of the tools can be had on the internet for free. Lot of legacy equipment only works with WEP or WPA these corporations lazy IT departments don’t bother closing the security risk with the wireless networks.

    • Unlikely. Transmitting cardholder data over Wireless networks unencrypted is a pretty big no-no. I would be surprised to find out Target used wireless for their POS registers, especially considering the VeriFones aren’t wireless and at least at my local Target, the VeriFones are using Ethernet, which if you are going to run Ethernet to the lane for the PIN devices, it would make no sense to not run it for the register too. There is almost NO benefit for a retailer to use wireless for the registers, when you look at the cost to remain PCI compliant whilst doing so.

      You would also have had to compromise 1800 wireless networks (1 per store) and you would have to be sniffing traffic in 1800 places, which means you would need a physical machine in each store, or a compromised machine, that was connected to the same wireless network as the registers, to be capturing data. The only other way would be if the wireless controllers had packet capture abilities similar to the Cisco ASA firewalls, but then you would have had to compromise all 1800 controllers – even if Target used a guessable password / network key, the effort to setup something at 1800 locations to snag the cardholder data during the transaction, isnt very plausible.

      Implementing lazy wi-fi is one thing, but implementing it within the cardholder data environment is a completely different thing. To be PCI compliant (We would have heard by now if Target wasnt) you cant just have a flat network where credit transactions flow through the same channels as all other network data, and to think as someone else posted, that Targets lax security on their guest wireless would allow access to their cardholder network, is just insane – they would have been hacked long ago if this was the case.

      This is a FAR more sophisticated hack than something simple like bad wifi encryption / security.

      • CJD…. did you happen to read my theory above? I am trying to find out if anyone thinks this would be possible as it would be a direct attack on the POS system itself and probably lead to critical data associated with the POS infrastructure.

        • While a SQL attack is certainly a viable vector, I tend to lean against it in this case, for a number of reasons. Target would be foolish to not disclose if other data was stolen, so that leads me to believe its isolated to the credit card data. I don’t know that their pos stores your DL data (it may) but most systems read that dob for an age restricted purchase, and just flag the transaction as a pass (used for auditing a cashier or proof that id was provided if audited by the state.). Also, I’ve been on the forums where the data is for sale, and there has been no mention of “fulls” (entire identity data) for sale.

          I tend to think either the readers were compromised (for credit data only), the pos software or os, or the payment network. Target has a similar architecture to my company, and that’s what makes sense (to me) knowing how transactions work.

          The main thing that leads me away from the thought of a DB attack is twofold: if they’re storing the data that was compromised (full track data) then I have a hard time believing they would only store a few weeks at a time of transaction data – I would expect even more data to have been compromised. Secondly, there is no way they would have been PCI compliant, even if they were storing data encrypted, because its a huge violation to store entire track data, and there’s no value in storing it. Given the number of transactions they do, storing that additional data would not only be a huge violation, but also would be a huge cost in space for no value to them. Essentially pci prohibits storing enough card data from a transaction to be able to use it in a compromise. Since the full track data was taken, that just leads me to think it wasnt a db attack, even if it was a live per transaction attack (vs compromising already stored data) because if they weren’t storing the track data, it wouldn’t make sense applicationwise for the full track data to be visible to the SQL process.

          In our environment, the card data is written to disk in an encrypted transaction file while its sent to the bank. As soon as the bank responds, that file is overwritten and the card data is gone. Our bank responds with a unique tokenized version of just the card number (no other track data), and that is what we store in transaction logs (in the db) for settlement at end of day, and for returns / reversal of charges. Should we reverse a charge, we send the tokenized number back to the bank where they correlate that back to the card number – we have no way to turn that back into card data. I would suspect target does the same, and data isn’t written to the DB until after the transaction is complete and the card data is gone.

          I also suspect that the payment network is the least likely of the 3 ways I’ve listed, not only because its the hardest to get to, but because it would be very inefficient to send the full track data to the bank during authorization, as its not all needed. The pos itself seems to be the consensus method, although I still think the pun devices are just as likely because they can all be updated from one server…meaning hack one server and push a rouge pin device firmware from one place.

          Time will tell. If you want to discuss more detail via email I’d be glad to toss around ideas and provide more detail than I can here about cc transactions. You can email me at: fd2508b5 (a t) opayq [ d o t ] c o m

          • I agree that a DB full of card data is unlikely. My thought on this as an attack vector was mainly as the beginning stage in a multi-part attack. Assuming the application to check age (and best guess, store user data from ID for later research) is hosted on the POS, then would it not be feasible to have the POS system connect out using SQL commands? Once you have a single POS connect out with a command shell, then you could begin to investigate the way things are configured. Update server IP’s, backend OS etc….. Assuming this is an attacker who has some strong abilities, would it not then be possible to craft a MITM program for the platform that exfil’s the card data on the fly? Im guessing that this data was not pushed out in one lump transaction, but sort of hid in the immense amount of data that would be normal during a busy shopping season.

  21. We are ready to serve you around 24/7 round the clock for Private investigator florida, Private investigator fort Lauderdale, Private investigator Hamptons and Private investigator key west.

  22. I have a question and appreciate anyone’s input. I have a RedCard Debit card and did shop at Target during the affected time frame. On Jan 1, I noticed someone shopped at several stores like Gap, several online stores to the tune of almost $1,400. I immediately called my bank to block my debit card and request a new one. My question might be silly – but is this related to the Target security breach? Or was my bank details compromised somewhere else? Can people only buy things from Target using our stolen data or elsewhere? Thanks

    • It is my understanding that the target red card debit card can only by used at Target stores. That being said, if the data associated with the card (ie. your bank account number, your real debit card number, etc…) are associated with the Target card in a database that was hacked, then creating a new debit card is trivial. I dont know what info is given when signing up for the red card, but if key details are given, then it could be related. No one in the public really knows what all was stolen in this breach or even how it was stolen.

      • It happened to me with other cards also I used my red card and other credit cards on various trips prior to the time and after the time frame check everything period…I to have a merchant account that is PCI compliance it was a mandatory move about 9 months ago not sure about some of the blurbage on the post way beyond my mind

  23. I’ve had purchases at target using my debit card around november and december as well. And i checked my statement recently and i noticed there was 3 unauthorized charges from Ohio, date 12/18. I called them but they had no idea what i was talking about.. ._.

  24. how to hack a person addresss by just getting nowing her name and number

  25. I was also a victim on the breach list. I think my account was just hacked today. I looked at my account and a transaction called “Check” with a description of “1 Day” was posted to my account today for almost $1000!!

    The best part is that the transaction posted during a super bad snow storm and half of our city is shut down in Michigan so I cannot even call my bank because all branches are closed due to the weather! My bank, Lake Trust, actually alerted all of it’s customers that were breached and took the liberty of issuing us all new debit cards..nice…but too late 🙁

    It’s awful not being able to get a hold of the bank today!!!

    • pam – Is this on a current/checking account? It sounds like maybe a neighbourhood thief ordering checks after having gotten your banking information via perhaps hacked PC and picking them up when you are not home out of your mail box scam. It probably is not related to Target and may be connected to a larger ID theft problem. Check your credit reports.

  26. Chase actually canceled my card and issued me another one because of this. Crazy!

  27. I used my non target cc on jan.7 at target. Did not use it again and within a few hours my account was breached and all my money gone. Since it is a prepaid walmart visa they wont credit me back until all transactions post and my cc disputes all the out of state charges.


#####EOF##### Following the Money, ePassporte Edition — Krebs on Security

15
Sep 10

Following the Money, ePassporte Edition

A few weeks ago, I blogged about the financial troubles afflicting ePassporte, an online payment provider whose sudden disconnection from the Visa network left many account holders without access to millions of dollars. I became interested in ePassporte because it kept popping up as I was investigating stories related to affiliate programs that reward people who peddle things like rogue anti-virus products and spam.

Since then, I’ve heard from a large number of disgruntled ePassporte account holders, most of whom were or are in the online porn industry, a market that ePassporte’s CEO Chris Mallick helped to nurture. In fact, as I noted in that original blog entry, Mallick produced “Middle Men,” a movie released by Paramount in August that is a fictionalized account of his experiences in the porn billing industry.

Many of those readers have been asking for an update on this story, and I’m afraid I don’t have a whole lot more to report. But the old adage about following the money led me to at least try to understand a bit more about how ePassporte is structured, and where its money may be.

Before I get to that, it makes sense to restate what’s been said by the parties involved. On Sept. 2, ePassporte owner Chris Mallick sent an e-mail to account holders saying the company was notified that effective immediately, Visa International had suspended the ePassporte Visa program, a card issued by St. Kitts Nevis Anguilla National Bank that ePassporte customers could use to withdraw cash at ATMs worldwide.

I contacted Visa for comment on that story, and the following Tuesday received a statement from Visa via e-mail saying that it had disconnected ePassporte at the request of St. Kitts-Nevis-Anguilla National Bank to “address certain program deficiencies.” Neither Visa nor SKNA Bank has been willing to discuss what those deficiencies may have been. A story in the St. Kitts Nevis Observer quotes a St. Kitts National Bank representative as saying Visa had cleared them of any wrongdoing, although that official – Patricia Wilkinson – declined to say who had accused them of wrongdoing or answer any other questions when I reached her by phone on Monday.

In checking out numerous forums and looking up bank and incorporation records online, I learned that ePassporte is incorporated in Curaçao, an island in the southern Caribbean Sea, off the coast of Venezuela. Indeed, the ePassporte Visa cards themselves include this information, indirectly at least, with the statement:

“This card is issued by St. Kitts-Nevis-Anguilla National Bank Limited” (“Bank”) pursuant to a license from Visa International and under a co-branding agreement between ePassporte N.V. and the bank.”

The Web site for the Curaçao Chamber of Commerce & Industry says ePassporte N.V. is registered at the address Kaya Richard J. Beaujon Z/N, Curaçao, Netherlands Antilles. The managing director of the company is a man named Gregory E. Elias (the same information is included in a old WHOIS records search for epassporte.com).

According to multiple ePassporte users with whom I’ve corresponded, any wires or bank transfers used to deposit funds in ePassporte accounts are sent to ePassporte N.V. via an entity called United International Bank N.V., an organization founded in 2009. Interestingly, United International Bank also lists the same Curaçao address, and lists Mr. Elias as a director, among others. So, on the surface at least, it appears that ePassporte and its primary bank are owned and operated by the same entity and directors.

I was able to locate a phone number for Mr. Elias and reached him this morning at United International Trust. Elias said he had no idea ePassporte customers were having trouble withdrawing their money from the bank, but he declined to answer direct questions about the situation.

“The only thing we can tell you is if you send your inquires and questions in writing to us, we will pass them on to Mr. Mallick and his lawyers,” Elias said. “We cannot go over queries over the phone. We never do that.” Elias declined to give me his e-mail address, saying I should be able to find it if I really were an investigative reporter.

Mallick and ePassporte have yet to respond to requests for comment. Mallick issued another statement Sept. 10 via an adult Webmaster forum, urging customers who were having trouble withdrawing their funds to be patient. “Our staff is all working diligently to resolve these issues and the many moving and complicated parts of getting the funds returned,” Mallick wrote.  “Therefore, please do not mistake our silence as hiding, avoiding or stringing you along. We too have funds that are stuck in the system as well as massive costs of operation without any income.”

But bereft of any hard information from ePassporte, the company’s customers have begun spinning conspiracy theories about what could have fueled the entire fiasco. Some have pointed to Mallick’s film, which according to Web site boxofficemojo.com cost an estimated $20 million but grossed less than $800,000 in a three week run at the box office that ended in late August.

In any event, I put some of the information I found into a spreadsheet (a portion of which is included below), mainly to help me understand the relationship between the various interested parties as I followed the trail of other stories I’ve been working on. It may be useful to some ePassporte customers: It includes Mr. Elias’ e-mail address and phone number.

Tags: , , ,

353 comments

  1. Scumbag J C Mallick

    What a scumbag . Google Chris Mallick and it will turn up some new sites of his, trying to fix his reputation.
    He even is paying for google Ad’s with his new websites. .net and .com.

    Again, what a scumbag. Instead of paying for Ad’s and new websites that LIE about who he really is, he should pay people back or give a real explanation and timeframe..stop hiding behind lawyers.

    No, this bitch would rather try to trick people that he is honest and never was in porn. His website forgets to mention epassporte wallet theft, porn, getting fired at paycom for fraud, his past convictions and fraud bankruptcies and court judgments against him.

    Again, what a scumbag. Mallick and Shaliza and anyone else who helped them deserve the worst punishment that is coming.

  2. Agreed with what Scumbag J C Mallick said. I really don’t understand how is possible not to be in jail when you stole millions of dollars and everybody knows it. I perssonally filed complaints at most important internet fraud division, and I know that many like me filled their complaints also. And the worst thing is almost a year since epassporte closed. And No Updates no nothing! Never heard of a lawsuit against Mallick or epassporte..

  3. jcmallick.com

    Be sure to show your support!
    I wonder if National Net (the host) had much of a stake in epassporte and whether they got paid?

    Rest assured some (influential) people did get paid.

  4. Looks like everyone gave up? Where’s that fighting spirit?

  5. there s nothing we can do. been 1 year.

    • Really? None of you guys hired an attorney to go after J.C. Mallick of Oxymoron Entertainment?
      Nobody has been in contact with Christopher Mallick? I find that hard to believe. If you have thousands of your hard earned bucks there, shouldn’t you even email oxymoronentertainment or 24-7 commercial marketing and talk to J Christopher mallick about returning your money? Did anyone call them?

  6. “Really? None of you guys hired an attorney to go after J.C. Mallick of Oxymoron Entertainment?” cannot hire I only have $3500 there and we need at least about $20000 US for an attorney to eaven look at us!
    “If you have thousands of your hard earned bucks there, shouldn’t you even email oxymoronentertainment or 24-7 commercial marketing and talk to J Christopher mallick about returning your money? Did anyone call them?” I’ve tried to emailed at all email address that I can could find called all the phone numbers that I can find. First at walletrequest@epassporte.com was an automated message now is taken off. I eaven emaild Mallick’s attorney with the info provided from SNKAB with no success not eaven a reply. Did you have adition emails or phone numbers that I can call?? Anyway I allready did 3 complaints to the most importat agencys…

  7. I have about $14,897 there, please find some way to get that money, i am seriously in bad need of it.

  8. Dan, can we do something, for me $14,897 is really a big amount, can we do something together for everyone, my education has been stopped, please let’s do something am in serious need of that money.

    You can email me at sweet_sujal1@hotmail.com

  9. Hi Mike,
    Look I’m not from US but tell you what I too decided that I really need that money asap, so I currently am looking for an attorney in US but first of all I need to be sure that you indeed have money lost there. As you seen on epassportelawsuit.com many request there are fake. So Tell you what. You can take a picture of the amount.You can use screengrab addon for firefox. Then uplod picture to tinypic or any other free picture hosting. Here is mine’s: http://i52.tinypic.com/24v8d8m.jpg The reason that I want for you to upload it and post link here is that I want everyone to see that we indeed lost money because for some reason, after 1 year I didn’t heard about any lawsuit against epassporte. So upload your proof post it here and I’ll email you further instructions to set up things together

  10. One of the problems is that people say they really want their money, but they don’t do anything to make it happen. I would like to share some new info with you guys dan and mike and any other stable minded accountholder who earned their money legally and paid taxes on the funds.

  11. WalletGuy thank you very much. I’ve set up an email: walletfunds@ymail.com any info you can spere is greatly appreciated. Also Please all of you who are willing to take this to court email me at walletfunds@ymail.com and use in subject line epassporte because I have a feeling that I’ll receive a lot of spam there. Also Please attach the proof that you lost money there, I don’t need your id just a link or a jpg with the amount so I can be sure that we indeed have around $20000. You can block any dinstinctive features. About payment for attorney we’ll talk when we get there.. Anyway I was thinking some kind of % from the amount that each of us has there..WalletGuy pls email me. Thanks


#####EOF##### Canadian Police Raid ‘Orcus RAT’ Author — Krebs on Security

02
Apr 19

Canadian Police Raid ‘Orcus RAT’ Author

Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.

An advertisement for Orcus RAT.

As first detailed by KrebsOnSecurity in July 2016, Orcus is the brainchild of John “Armada” Rezvesz, a Toronto resident who until recently maintained and sold the RAT under the company name Orcus Technologies.

In an “official press release” posted to pastebin.com on Mar. 31, 2019, Rezvesz said his company recently was the subject of an international search warrant executed jointly by the Royal Canadian Mounted Police (RCMP) and the Canadian Radio-television and Telecommunications Commission (CRTC).

“In this process authorities seized numerous backup hard drives [containing] a large portion of Orcus Technologies business, and practices,” Rezvesz wrote. “Data inclusive on these drives include but are not limited to: User information inclusive of user names, real names, financial transactions, and further. The arrests and searches expand to an international investigation at this point, including countries as America, Germany, Australia, Canada and potentially more.”

Reached via email, Rezvesz declined to say whether he was arrested in connection with the search warrant, a copy of which he shared with KrebsOnSecurity. In response to an inquiry from this office, the RCMP stopped short of naming names, but said “we can confirm that our National Division Cybercrime Investigative Team did execute a search warrant at a Toronto location last week.”

The RCMP said the raid was part of an international coordinated effort with the Federal Bureau of Investigation and the Australian Federal Police, as part of “a series of ongoing, parallel investigations into Remote Access Trojan (RAT) technology. This type of malicious software (malware) enables remote access to Canadian computers, without their users’ consent and can lead to the subsequent installation of other malware and theft of personal information.”

“The CRTC executed a warrant under Canada’s Anti-Spam Legislation (CASL) and the RCMP National Division executed a search warrant under the Criminal Code respectively,” reads a statement published last week by the Canadian government. “Tips from international private cyber security firms triggered the investigation.”

Rezvesz maintains his software was designed for legitimate use only and for system administrators seeking more powerful, full-featured ways to remotely manage multiple PCs around the globe. He’s also said he’s not responsible for how licensed customers use his products, and that he actively kills software licenses for customers found to be using it for online fraud.

Yet the list of features and plugins advertised for this RAT includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

“It can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process,” wrote researchers at security firm Fortinet in a Dec. 2017 analysis of the RAT. “This makes it harder for targets to remove it from their systems. These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.”

As KrebsOnSecurity noted in 2016, in conjunction with his RAT Rezvesz also sold and marketed a bulletproof “dynamic DNS service” that promised not to keep any records of customer activity.

Rezvesz appears to have a flair for the dramatic, and has periodically emailed this author over the years. Sometimes, the missives were taunting, or vaguely ominous and threatening. Like the time he reached out to say he was hiring a private investigator to find and track me. Still other unbidden communications from Rezvesz were friendly, even helpful with timely news tips.

According to Rezvesz himself, he is no stranger to the Canadian legal system. In June 2018, Rezvesz shared court documents indicating he has been involved in multiple physical assault charges since 2007, including “7 domestic disputes between partners as well as incidents with his parents.”

“I am not your A-typical computer geek, Brian,” he wrote in a 2018 email. “I tend to have a violent nature, and have both Martial arts and Military training. So, I suppose it is really good that I took your article with a grain of salt instead of actually really getting upset.”

The sale and marketing of remote administration tools is not illegal in the United States, and indeed there are plenty of such tools sold by legitimate companies to help computer experts remotely administer computers.

However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.

Last year, a 21-year-old Kentucky man pleaded guilty to authoring and distributing a popular hacking tool called “LuminosityLink,” which experts say was used by thousands of customers to gain access to tens of thousands of computers across 78 countries worldwide.

Also in 2018, 27-year-old Arkansas resident Taylor Huddleston was sentenced to three years in jail for making and selling the “NanoCore RAT,” which was being used to spy on webcams and steal passwords from systems running the software.

In many previous law enforcement investigations targeting RAT developers and sellers, investigators also have targeted customers of these products. In 2014, the U.S. Justice Department announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a cheap and powerful RAT that the U.S. government said was used to infect more than a half million computers worldwide.

Earlier this year, Rezvesz posted on Twitter that he was making the source code for Orcus RAT publicly available, and focusing his attention on developing a new and improved RAT product.

Meanwhile on Hackforums[.]net — the forum where Orcus was principally advertised and sold — members and customers expressed concern that authorities would soon be visiting Orcus RAT customers, posts that were deleted almost as quickly by the Hackforums administrator.

As if in acknowledgement of that concern, in the Pastebin press release published this week Rezvesz warned people away from using Orcus RAT, and added some choice advice for others who would follow his path.

“Orcus is no longer to be considered safe or secure solution to Remote Administrative needs,” he wrote, pointing to a screenshot of a court order he says came from one of the police investigators, which requires him to abstain from accessing Hackforums or Orcus-related sites. “Please move away from this software without delay. It has been a pleasure getting to know everyone in my time online, and I hope you all can take my words as a life lesson. Stay safe, don’t do stupid shit.”

Tags: , ,

40 comments

  1. Sascha A. Carlin

    What still makes we wonder is why we have not seen hardware manufacturers finally putting an end to abuse of webcams and made sure, hardware-wise, that such cameras cannot be active without their indicators, well, indicating that they are.

    I guess I am missing something important here. Can somebody please point me to it?

    • It seems so obvious that the power going to the webcam should be the same power source that lights the LED indicator – so that it’s electrically impossible for the webcam to be on without the LED also being on. Instead, manufacturers control the LED indicator with firmware, which, as we have seen, can be disabled maliciously. No one is holding device manufacturers responsible for user privacy.

      • There is one problem with that idea…the fact that doing it that way would require the LED and the camera to have identical power requirements, which they do not. (Not even close, looking at options for cameras at DigiKey…)

        So, as a result, they need separate (and different) power feeds, each of which requires their own control. Sure, you could use a relay…a solid-state relay would be the smallest option. But it would still require your laptop lid to be nearly half an inch thick to accommodate it. And thus that power switching control ends up being done via software because, well, people like thin laptops, not thick ones.

        • You wouldn’t need a SSR. Just one mosfet doing low side switching for the LED, or a BJT and a resistor in series with the base.

          Look for my post on Steve Gibson’s podcast.

        • All you need is a physical switch for both the mic and camera. Switch it off, and neither the mic and camera are capable of being turned on. Thats it, thats all. It can be done with a pretty small switch with 2 separate power cables for each device.

          • Physical switches cost money. The device manufacturer has to test them with some sort of physical device to move the switch, or a person.

            A shutter on the camera might be cheaper.

    • I can somewhat explain this. The camera needs firmware. To keep things cheap, there is no programmable memory in the camera to hold the firmware. Rather the OS driver is what uploads the firmware. So the hacker changes the driver in a manner to allow the rat to not turn on the light.

      The “why” is only something I can guess. I suppose one reason is to save the couple of milliamps it takes to drive the LED. Not an issue in a notebook, but the camera module could be used in other applications.

      This was discussed on TWIT’s “security now”. I ran a few searches using site:grc.com since Steve Gibson has show transcripts, but I can’t find the episode where this was discussed. Doing a search on RAT itself was a shocker since the website turns out to have medical research on it!

        • Close and much thanks. Those are the show notes. This is a transcript of the podcast.
          https://www.grc.com/sn/sn-437.htm

          My recollection was reasonably good. What is missed is they leave the camera in standby. I don’t follow why that is done other than I assume to get the camera working as fast as possible.

          So the camera is in standby with the LED off. But standby probably means don’t put the data on the USB bus. The hacker has other ideas.

          At one time Apple used the camera to determine ambient light, which in turn would be used to adjust the display backlight. That would be a case where you surely needed the camera operating but bit really on. All modern notebooks have a simple light sensor, totally independent of the camera.

      • Gary, a question.

        I do not use the laptop’s built in camera, but an accessory one connected via USB to the machine. If I Skype and the accessory one is not plugged in I do not get a picture (i.e. the machine does not shift to the built in camera).
        Can I assume that no one from the outside can utilize the built in one?

        • Nope.

          Skype has a Video Options menu. Select it, then Source. You may see that two or more camera sources are available, for example, built in and plugged in.

          Let’s say you selected the plugged in camera, then unplugged it. Skype won’t try the built in camera until you select it. That’s why it appears that no picture is present.

          But Skype’s selective blindness doesn’t mean the built in camera is off or inaccessible to other programs, including a remote access tool (RAT) or any other spyware.

          Your best defense against unwanted surveillance is to put a bit of black electrical tape over the built in camera and avoid talking in the presence of the built in microphone. The second best defense is to keep your laptop’s operating system up to date, to avoid spyware altogether.

  2. In the previous RAT cases, I recall that the authorities had evidence of the RAT authors actively involved in helping customers deploy and use the RAT for illegal purposes.

    I don’t think we’ve seem a prosecution based only on the RAT features that facilitate illegal activity. That would be a hard case to prosecute.

    • Right. Hence, this part from the story:

      “However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.”

      • Frank Ch. Eigler

        “tend to be viewed by prosecutors”

        … but such views are not the law. The production & distribution of dual-use things is almost always protected by law.

        • I agree, this is not how the law works.

          • ChrisSuperPogi

            I guess this explains why it took them this long to arrest the author…

            I was under the impression that he would’ve been arrested back in ’15/16 when the evidence of its nefarious use was discovered…

            Just my thoughts…

          • Blanche Dubois

            “but such views are not the law”?
            “not how the way the law works”?
            Is your legal adviser a Hollywood movie?

            What makes you think that Rezvesz only has 1-2 “criminal computer activity” charges to worry about now?
            His inconvenience started the moment the magistrate signed the search warrant.

            The entire address is subject to search and confiscation, to be perused at leisure by police. If other crimes are also discovered, or subsequently discovered, more warrants will flow. It will be charge pile-on time.

            And best, Mr. Resvesz has no idea what other evidence the police of at least 3 nations have on him.

            Mr. Rezvesz could help all those fighting daily malware, by lying to police, now or during future interviews, on any subject.
            Messrs. Michael Flynn and Michael Cohen can now write short true stories about doing that.

            We’ll learn how “tough” Mr. Rezvesz really is.

            • If he knows he’s committed certain crimes, which he would have to assuming he did in fact commit crimes, then he knows exactly what evidence they could have on him. Evidence of potentially every single crime he committed.

      • I own firearms. Firearms I use for hunting, target competitions, self-defense, and to revolt against tyranny as is my constitutional right in the USA. I’ll bet Venezuelans regret giving theirs up now, in fact, they have said so. Firearms can also be used in violent crime. Should I be searched then? My firearms confiscated for pre-crime? Some “authorities” might think so. How about firearms manufacturers? Should they all be investigated? Are we all guilty until proven innocent?
        Don’t mistake me: this guy sounds like a bad actor, but a line may have been crossed by the authorities as well.

    • Strange features are probably hard to prove alone, but probably do enhance a prosecutor’s argument, particularly for the features that serve no purpose except for malice.

      The one that hugely stands out to me from the linked list is the “let it burn” feature, which literally has no purpose except to mess with the desktop of the affected user. There’s no legitimate remote administrative tool with this sort of feature.

      Similar can be said with “password recovery from famous applications” – this would fall afoul of any IT best practices about security (or even mediocre IT practices about security), and would never be included in any legitimate remote administrative tool.

      • Password recovery is common on remote admin tools. Hirens boot CD has had it for ages. It is useful for unlocking a local admin account on a machine that has lost connection to its domain, and becomes necessary when an admin inherits a domain that is not properly documented.

        • Well, I’ll start by saying rescue CDs are different than RATs. 🙂

          From what I know, OS manufacturers tend to frown on these “password recovery” tools in these rescue CDs (I know some admins use them, but some are “gray hat” in nature). The official Microsoft approach for instance is to create a password reset disk which, if you forget your password, you can use to reset it. Discussion of resetting local passwords is limited on many support forums (eg BleepingComputer) due to the difficulty of determine whether the requester of this support is the legitimate owner.

          Many remote administration tools do have the ability to manage local administrative accounts or domain accounts (including passwords). But we are talking about passwords stored in applications like browsers here. These are passwords that quite often do not fall under an administrator’s domain. Why would an admin need to remotely look at potentially sensitive user data that does not necessarily fall under their scope? They don’t need to. Hackers on the other hand would love potentially sensitive login information.

  3. The Sunshine State

    “. “I tend to have a violent nature, and have both Martial arts and Military training”

    His one of those internet tough guy hiding behind a keyboard and mouse, using intimation to manipulate and spread false fear.

  4. Threatening someone and leaving a paper trail. This guy is not very bright. With an ego that huge, I don’t think he is capable of stealing a pack of gum from the local market without everyone knowing about it.

    • I had the same reaction. . . He stored his business records and contacts on site. I wonder if he even went to the trouble of encrypting them? I suspect that the RCMP et al. scored a treasure trove of information. Good for them!

  5. Seems like an edgelord on steroids.

    His profile pictures and ego come together for one of the more cringeworthy personas I have seen in a while.

    Best part is that you know he will read these comments. I’m just left wondering where he is hiding his Katanas and fedoras.

  6. The only time RCMP prosecutes cyber crime is when the FBI phones them and says “let us fill out that warrant application for you.”

    They have 200+ people “investigating” cyber crime (depending on what source you believe) and next to zero prosecutions.

  7. I bet those “legitimate users” of his “software” are now s__ting their pants knowing that their “real” names (according to that sleazeball) are in the hands of Canadian police 🙂

    Also when will those “legal” malware paddlers learn that you can’t do this from a Western country. You need to do it having a server in Russia or a similar country.

  8. So where is Sorzus in all of this?

  9. He did nothing wrong. The customers should be responsible for their own actions. Fuck the police.

  10. The story needs a phonetic guide to the suspect’s name.

    And an update if/when there’s an arrest.

    Interesting case.

    Canadian judges can prohibit an individual from accessing particular websites, before an arrest or conviction or even an evidentiary hearing on the websites’ content?

  11. CHC of Asheville

    Question: does switching off “Allow Remote Connections” in Windows have any effect on one’s vulnerability — or does the malware just switch this setting to True if it isn’t true already?

    • CHC of Asheville,

      Malware/RATs does not care about this setting. Setting it to False will not stop malware. Malware/RATs does not need to set it to True to operate in their full capacity.

      They do need to use Windows built remote desktop abilities to operate in a “remote desktop” capacity. As such the aforementioned option will not protect you. However, you should have it set to False regardless (unless you have a legitimate use for it).

      Protect your computer by using making sure you have windows defender enabled, ideally with another antivirus or antimalware solution on top of it such as Malwarebytes, ESET, Kaspersky, Bit Defender, etc. Everyone has their opinions on which is best.

      Thanks

  12. Bound to Happen

    You’re giving him way too much credit. Sorzus was the real author, not John “Armada” Rezvesz. Armada couldn’t even code.

  13. That’s messed up that he used the bitcoin logo in his ad. For shame.

Leave a comment


#####EOF##### Security Tools — Krebs on Security

Security Tools


17
Mar 19

Why Phone Numbers Stink As Identity Proof

Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.

“As a consumer, I’m forced to use my phone number as an identity document, because sometimes that’s the only way to do business with a site online,” Nixon said. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me. And there’s nothing anyone can do to stop it except to stop using phone numbers as identity documents.”

Beyond SIM-swapping attacks, there are a number of ways that phone numbers can get transferred to new owners, Nixon said. The biggest reason is lack of payment for past phone bills. But maybe someone goes through a nasty divorce or separation, and can no longer access their phone or phone accounts. The account is sent to collections and closed, and the phone number gets released back into the general pool for reassignment after a period of time.

Many major providers still let people reset their passwords with just a text message. Last week I went to regain access to a Yahoo account I hadn’t used in almost five years. Yahoo’s forgot password feature let me enter a phone number, and after entering a code sent to my phone I was able to read my email.

So, if that Yahoo account is tied to a mobile number that you can receive text messages at, then you can assume control over the account. And every other account associated with that Yahoo account. Even if that phone number no longer belongs to the person who originally established the email account.

This is exactly what happened recently to a reader who shared this account:

A while ago I bought a new phone number. I went on Yahoo! mail and typed in the phone number in the login. It asked me if I wanted to receive an SMS to gain access. I said yes, and it sent me a verification key or access code via SMS. I typed the code I received. I was surprised that I didn’t access my own email, but the email I accessed was actually the email of the previous owner of my new number.

Yahoo! didn’t even ask me to type the email address, or the first and last name. It simply sent me the SMS, I typed the code I received, and without asking me to type an email or first and last name, it gave me access to the email of my number’s PREVIOUS OWNER. Didn’t ask for credentials or email address. This seriously needs to be revised. At minimum Yahoo! should ask me to type the email address or the first and last name before sending me an SMS which contains an access code.

Brian Krebs (BK): You have your own experiences like this. Or sort of. You tell.

Allison Nixon (AN): Any threat intelligence company will have some kind of business function that requires purchasing burner phones fairly frequently, which involves getting new phone numbers. When you get new numbers, they are recycled from previous owners because there probably aren’t any new ones anymore. I get a lot of various text messages for password resets. One I kept getting was texts from this guy’s bank. Every time he got a deposit, I would get a text saying how much was deposited and some basic information about the account.

I approached the bank because I was concerned that maybe this random person would be endangered by the security research we were going to be doing with this new number. I asked them to take him off the number, but they said there wasn’t anything they could do about it.

One time I accidentally hijacked a random person’s account. I was trying to get my own account back at an online service provider, and I put a burner phone number into the site, went through the SMS password reset process, got the link and it said ‘Welcome Back’ to some username I didn’t know. Then I clicked okay and was suddenly reading the private messages of the account.

I realized I’d hijacked the account of the previous owner of the phone. It was unintentional, but also very clear that there was no technical reason I couldn’t hijack even more accounts associated with this number. This is a problem affecting a ton of service providers. This could have happened at many, many other web sites. Continue reading →


8
Mar 19

MyEquifax.com Bypasses Credit Freeze PIN

Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.

Consumers in every U.S. state can now freeze their credit files for free with Equifax and two other major bureaus (Trans Union and Experian). A freeze makes it much harder for identity thieves to open new lines of credit in your name.

In the wake of Equifax’s epic 2017 data breach impacting some 148 million Americans, many people did freeze their credit files at the big three in response. But Equifax has changed a few things since then.

Seeking to manage my own credit freeze at equifax.com as I’d done in years past, I was steered toward creating an account at myequifax.com, which I was shocked to find I did not previously possess.

Getting an account at myequifax.com was easy. In fact, it was too easy. The portal asked me for an email address and suggested a longish, randomized password, which I accepted. I chose an old email address that I knew wasn’t directly tied to my real-life identity.

The next page asked me enter my SSN and date of birth, and to share a phone number (sharing was optional, so I didn’t). SSN and DOB data is widely available for sale in the cybercrime underground on almost all U.S. citizens. This has been the reality for years, and was so well before Equifax announced its big 2017 breach.

myEquifax said it couldn’t verify that my email address belonged to the Brian Krebs at that SSN and DOB. It then asked a series of four security questions — so-called “knowledge-based authentication” or KBA questions designed to see if I could recall bits about my recent financial history.

In general, the data being asked about in these KBA quizzes is culled from public records, meaning that this information likely is publicly available in some form — either digitally or in-person. Indeed, I have long assailed the KBA industry as creating a false sense of security that is easily bypassed by fraudsters.

One potential problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

The first three multiple-guess questions myEquifax asked were about loans or debts that I have never owed. Thus, the answer to the first three KBA questions asked was, “none of the above.” The final question asked for the name of our last mortgage company. Again, information that is not hard to find.

Satisfied with my answers, Equifax informed me that yes indeed I was Brian Krebs and that I could now manage my existing freeze with the company. After requesting a thaw, I was brought to a vintage Equifax page that looked nothing like myEquifax’s sunnier new online plumage.

Equifax’s site says it will require users requesting changes to an existing credit freeze to have access to their freeze PIN and be ready to supply it. But Equifax never actually asks for the PIN.

This page informed me that if I previously secured a freeze of my credit file with Equifax and been given a PIN needed to undo that status in any way, that I should be ready to provide said information if I was requesting changes via phone or email. 

In other words, credit freezes and thaws requested via myEquifax don’t require users to supply any pre-existing PIN.

Fine, I said. Let’s do this.

myEquifax then asked for the date range requested to thaw my credit freeze. Submit.

“We’ve successfully processed your security freeze request!,” the site declared.

This also was exclaimed in an email to the random old address I’d used at myEquifax, although the site never once made any attempt to validate that I had access to this inbox, something that could be done by simply sending a confirmation link that needs to be clicked to activate the account.

In addition, I noticed Equifax added my old mobile number to my account, even though I never supplied this information and was not using this phone when I created the myEquifax account.

Successfully unfreezing (temporarily thawing) my credit freeze did not require me to ever supply my previously-issued freeze PIN from Equifax. Anyone who knew the vaguest and most knowable details about me could have done the same.

myEquifax.com does not currently seek to verify the account by requesting confirmation via a phone call or text to the phone number associated with the account (also, recall that even providing a phone number was optional).

Happily, I did discover then when I used a different computer and Internet address to try to open up another account under my name, date of birth and SSN, it informed me that a profile already existed for this information. This suggests that signing up at myEquifax is probably a good idea, given that the alternative is more risky.

It was way too easy to create my account, but I’m not saying everyone will be able to create one online. In testing with several readers over the past 24 hours, myEquifax seems to be returning a lot more error pages at the KBA stage of the process now, prompting people to try again later or make a request via email or phone.

Equifax spokesperson Nancy Bistritz-Balkan said not requiring a PIN for people with existing freezes was by design.

“With myEquifax, we created an online experience that enables consumers to securely and conveniently manage security freezes and fraud alerts,” Bistritz-Balkan said..

“We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud alerts online without the use of a PIN,” she continued. “The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time.” Continue reading →


1
Dec 18

What the Marriott Breach Says About Security

We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.

TO COMPANIES

For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.

It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.

The companies run by leaders and corporate board members with advanced security maturity are investing in ways to attract and retain more cybersecurity talent, and arranging those defenders in a posture that assumes the bad guys will get in.

This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that — left undetected for days, months or years — can cost the entire organism dearly.

The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. They’re reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer — anyone but the Chief Technology Officer.

They’re constantly testing their own networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). And, apropos of the Marriott breach, they are finding creative ways to cut down on the volume of sensitive data that they need to store and protect.

TO INDIVIDUALS

Likewise for individuals, it pays to accept two unfortunate and harsh realities:

Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.

Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.

Marriott is offering affected consumers a year’s worth of service from a company owned by security firm Kroll that advertises the ability to scour cybercrime underground markets for your data. Should you take them up on this offer? It probably can’t hurt as long as you’re not expecting it to prevent some kind of bad outcome. But once you’ve accepted Realities #1 and #2 above it becomes clear there is nothing such services could tell you that you don’t already know.

Once you’ve owned both of these realities, you realize that expecting another company to safeguard your security is a fool’s errand, and that it makes far more sense to focus instead on doing everything you can to proactively prevent identity thieves, malicious hackers or other ne’er-do-wells from abusing access to said data.

This includes assuming that any passwords you use at one site will eventually get hacked and leaked or sold online (see Reality #2), and that as a result it is an extremely bad idea to re-use passwords across multiple Web sites. For example, if you used your Starwood password anywhere else, that other account you used it at is now at a much higher risk of getting compromised. Continue reading →


23
Nov 18

How to Shop Online Like a Security Pro

‘Tis the season when even those who know a thing or two about Internet scams tend to let down their guard in the face of an eye-popping discount or the stress of last-minute holiday shopping. So here’s a quick refresher course on how to make it through the next few weeks without getting snookered online.

Adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet, for the simple reason that there are tons of completely fake e-commerce sites out there looking to separate the unwary from their credit card details.

Even people who shop mainly at big-name online stores can get scammed if they’re not wary of too-good-to-be-true offers. For example, KrebsOnSecurity got taken for hundreds of dollars just last year after trying to buy a pricey Sonos speaker from an established Amazon merchant who was selling it new and unboxed at huge discount.

I later received an email from the seller, who said his Amazon account had been hacked and abused by scammers to create fake sales. Amazon ultimately refunded the money, but if this happens to you around the holidays it could derail plans to get all your shopping done before the expected gift-giving day arrives.

Here are some other safety and security tips to keep in mind when shopping online:

-WHEN IN DOUBT, CHECK ‘EM OUT: If you don’t know much about the online merchant that has the item you wish to buy, take a few minutes to investigate its reputation. After all, it’s not uncommon for bargain basement phantom Web sites to materialize during the holiday season, and then vanish forever not long afterward.

If you’re buying from an online store that is brand new, the risk that you will get scammed increases significantly.  How do you know the lifespan of a site selling that must-have gadget at the lowest price? One easy way to get a quick idea is to run a basic WHOIS search on the site’s domain name. The more recent the site’s “created” date, the more likely it is a phantom store.

-USE A CREDIT CARD: It’s nearly impossible for consumers to tell how secure a main street or online merchant is, and safety seals or attestations that something is “hacker safe” are a guarantee of nothing. In my experience, such sites are just as likely to be compromised as e-commerce sites without these dubious security seals.

No, it’s best just to shop as if they’re all compromised. With that in mind, if you have the choice between using a credit or debit card, shop with your credit card.

Sure, the card associations and your bank are quick to point out that you’re not liable for fraudulent charges that you report in a timely manner, whether it’s debit or a credit card. But this assurance may ring hollow if you wake up one morning to find your checking accounts emptied by card thieves after shopping at a breached merchant with a debit card.

Who pays for the fees levied against you by different merchants when your checks bounce? You do. Does the bank reimburse you when your credit score takes a ding because your mortgage or car payment was late? Don’t hold your breath.

-PADLOCK, SCHMADLOCK: For years, consumers have been told to look for the padlock when shopping online. Maybe this was once sound advice. But to my mind, the “look for the lock” mantra has created a false sense of security for many Internet users, and has contributed to a dangerous and widespread misunderstanding about what the lock icon is really meant to convey.

To be clear, you absolutely should run away from any e-commerce site that does not include the padlock (i.e., its Web address does not begin with “https://”).  But the presence of a padlock icon next to the Web site name in your browser’s address bar does not mean the site is legitimate. Nor is it any sort of testimonial that the site has been security-hardened against intrusion from hackers.

The https:// part of the address merely signifies that the data being transmitted back and forth between your browser and the site is encrypted and can’t be read by third parties. Even so, anti-phishing company PhishLabs found in a survey last year that more than 80% of respondents believed the green lock indicated that a website was either legitimate and/or safe.

Now that anyone can get SSL certificates for free, phishers and other scammers that ply their trade via fake Web sites are starting to up their game. In December 2017, PhishLabs estimated that a quarter of all phishing Web sites were outfitting their scam pages with SSL certificates to make them appear more trustworthy. According to PhishLabs, roughly half of all phishing sites now feature the padlock.  Continue reading →


14
Nov 18

Patch Tuesday, November 2018 Edition

Microsoft on Tuesday released 16 software updates to fix more than 60 security holes in various flavors of Windows and other Microsoft products. Adobe also has security patches available for Flash Player, Acrobat and Reader users.

As per usual, most of the critical flaws — those that can be exploited by malware or miscreants without any help from users — reside in Microsoft’s Web browsers Edge and Internet Explorer.

This week’s patch batch addresses two flaws of particular urgency: One is a zero-day vulnerability (CVE-2018-8589) that is already being exploited to compromise Windows 7 and Server 2008 systems.

The other is a publicly disclosed bug in Microsoft’s Bitlocker encryption technology (CVE-2018-8566) that could allow an attacker to get access to encrypted data. One mitigating factor with both security holes is that the attacker would need to be already logged in to the targeted system to exploit them.

Of course, if the target has Adobe Reader or Acrobat installed, it might be easier for attackers to achieve that log in. According to analysis from security vendor Qualys, there is now code publicly available that could force these two products to leak a hash of the user’s Windows password (which could then be cracked with open-source tools). A new update for Acrobat/Reader fixes this bug, and Adobe has published some mitigation suggestions as well. Continue reading →


21
Sep 18

Credit Freezes are Free: Let the Ice Age Begin

It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable revenue stream.

Enacted in May 2018, the Economic Growth, Regulatory Relief and Consumer Protection Act rolls back some of the restrictions placed on banks in the wake of the Great Recession of the last decade. But it also includes a silver lining. Previously, states allowed the bureaus to charge a confusing range of fees for placing, temporarily thawing or lifting a credit freeze. Today, those fees no longer exist.

A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file).

And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it.

To file a freeze, consumers must contact each of the three major credit bureaus online, by phone or by mail. Here’s the updated contact information for the big three:

Online: Equifax Freeze Page
By phone: 800-685-1111
By Mail: Equifax Security Freeze
P.O. Box 105788
Atlanta, Georgia 30348-5788

Online: Experian
By phone: 888-397-3742
By Mail: Experian Security Freeze
P.O. Box 9554, Allen, TX 75013

Online: TransUnion
By Phone: 888-909-8872
By Mail: TransUnion LLC
P.O. Box 2000 Chester, PA 19016

Spouses may request freezes for each other by phone as long as they pass authentication.

The new law also makes it free to place, thaw and lift freezes for dependents under the age of 16, or for incapacitated adult family members. However, this process is not currently available online or by phone, as it requires parents/guardians to submit written documentation (“sufficient proof of authority”), such as a copy of a birth certificate and copy of a Social Security card issued by the Social Security Administration, or — in the case of an incapacitated family member — proof of power of attorney.

In addition, the law requires the big three bureaus to offer free electronic credit monitoring services to all active duty military personnel. It also changes the rules for “fraud alerts,” which currently are free but only last for 90 days. With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert.

Another important change: Fraud alerts now last for one year (previously they lasted just 90 days) but consumers can renew them each year. Bear in mind, however, that while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they’re not legally required to do this. Continue reading →


12
Sep 18

U.S. Mobile Giants Want to be Your Online Identity

The four major U.S. wireless carriers today detailed a new initiative that may soon let Web sites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer’s phone and mobile subscriber account, such as location, customer reputation, and physical attributes of the device. Here’s a look at what’s coming, and the potential security and privacy trade-offs of trusting the carriers to handle online authentication on your behalf.

Tentatively dubbed “Project Verify” and still in the private beta testing phase, the new authentication initiative is being pitched as a way to give consumers both a more streamlined method of proving one’s identity when creating a new account at a given Web site, as well as replacing passwords and one-time codes for logging in to existing accounts at participating sites.

Here’s a promotional and explanatory video about Project Verify produced by the Mobile Authentication Task Force, whose members include AT&T, Sprint, T-Mobile and Verizon:

The mobile companies say Project Verify can improve online authentication because they alone have access to several unique signals and capabilities that can be used to validate each customer and their mobile device(s). This includes knowing the approximate real-time location of the customer; how long they have been a customer and used the device in question; and information about components inside the customer’s phone that are only accessible to the carriers themselves, such as cryptographic signatures tied to the device’s SIM card.

The Task Force currently is working on building its Project Verify app into the software that gets pre-loaded onto mobile devices sold by the four major carriers. The basic idea is that third-party Web sites could let the app (and, by extension, the user’s mobile provider) handle the process of authenticating the user’s identity, at which point the app would interactively log the user in without the need of a username and password.

In another example, participating sites could use Project Verify to supplement or replace existing authentication processes, such as two-factor methods that currently rely on sending the user a one-time passcode via SMS/text messages, which can be intercepted by cybercrooks.

The carriers also are pitching their offering as a way for consumers to pre-populate data fields on a Web site — such as name, address, credit card number and other information typically entered when someone wants to sign up for a new user account at a Web site or make purchases online.

Johannes Jaskolski, general manager for Mobile Authentication Task Force and assistant vice president of identity security at AT&T, said the group is betting that Project Verify will be attractive to online retailers partly because it can help them capture more sign-ups and sales from users who might otherwise balk at having to manually provide lots of data via a mobile device.

“We can be a primary authenticator where, just by authenticating to our app, you can then use that service,” Jaskolski said. “That can be on your mobile, but it could also be on another device. With subscriber consent, we can populate that information and make it much more effortless to sign up for or sign into services online. In other markets, we have found this type of approach reduced [customer] fall-out rates, so it can make third-party businesses more successful in capturing that.”

Jaskolski said customers who take advantage of Project Verify will be able to choose what types of data get shared between their wireless provider and a Web site on a per-site basis, or opt to share certain data elements across the board with sites that leverage the app for authentication and e-commerce.

“Many companies already rely on the mobile device today in their customer authentication flows, but what we’re saying is there’s going to be a better way to do this in a method that is intended from the start to serve authentication use cases,” Jaskolski said. “This is what everyone has been seeking from us already in co-opting other mobile features that were simply never designed for authentication.” Continue reading →


10
Sep 18

In a Few Days, Credit Freezes Will Be Fee-Free

Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you’ve been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it’s just not worth the hassle. If that accurately describes your views on the matter, this post may well change your mind.

A credit freeze — also known as a “security freeze” — restricts access to your credit file, making it far more difficult for identity thieves to open new accounts in your name.

Currently, many states allow the big three bureaus — Equifax, Experian and TransUnion — to charge a fee for placing or lifting a security freeze. But thanks to a federal law enacted earlier this year, after Sept. 21, 2018 it will be free to freeze and unfreeze your credit file and those of your children or dependents throughout the United States.

KrebsOnSecurity has for many years urged readers to freeze their files with the big three bureaus, as well as with a distant fourth — Innovis — and the NCTUE, an Equifax-operated credit checking clearinghouse relied upon by most of the major mobile phone providers.

There are dozens of private companies that specialize in providing consumer credit reports and scores to specific industries, including real estate brokers, landlords, insurers, debt buyers, employers, banks, casinos and retail stores. A handy PDF produced earlier this year by the Consumer Financial Protection Bureau (CFPB) lists all of the known entities that maintain, sell or share credit data on U.S. citizens.

The CFPB’s document includes links to Web sites for 46 different consumer credit reporting entities, along with information about your legal rights to obtain data in your reports and dispute suspected inaccuracies with the companies as needed. My guess is the vast majority of Americans have never heard of most of these companies.

Via numerous front-end Web sites, each of these mini credit bureaus serve thousands or tens of thousands of people who work in the above mentioned industries and who have the ability to pull credit and other personal data on Americans. In many cases, online access to look up data through these companies is secured by nothing more than a username and password that can be stolen or phished by cybercrooks and abused to pull privileged information on consumers.

In other cases, it’s trivial for anyone to sign up for these services. For example, how do companies that provide background screening and credit report data to landlords decide who can sign up as a landlord? Answer: Anyone can be a landlord (or pretend to be one).

SCORE ONE FOR FREEZES

The truly scary part? Access to some of these credit lookup services is supposed to be secured behind a login page, but often isn’t. Consider the service pictured below, which for $44 will let anyone look up the credit score of any American who hasn’t already frozen their credit files with the big three. Worse yet, you don’t even need to have accurate information on a target — such as their Social Security number or current address.

KrebsOnSecurity was made aware of this particular portal by Alex Holden, CEO of Milwaukee, Wisc.-based cybersecurity firm Hold Security LLC [full disclosure: This author is listed as an adviser to Hold Security, however this is and always has been a volunteer role for which I have not been compensated].

Holden’s wife Lisa is a mortgage broker, and as such she has access to a more full-featured version of the above-pictured consumer data lookup service (among others) for the purposes of helping clients determine a range of mortgage rates available. Mrs. Holden said the version of this service that she has access to will return accurate, current and complete credit file information on consumers even if one enters a made-up SSN and old address on an individual who hasn’t yet frozen their credit files with the big three.

“I’ve noticed in the past when I do a hard pull on someone’s credit report and the buyer gave me the wrong SSN or transposed some digits, not only will these services give me their credit report and full account history, it also tells you what their correct SSN is,” Mrs. Holden said.

With Mr. Holden’s permission, I gave the site pictured above an old street address for him plus a made-up SSN, and provided my credit card number to pay for the report. The document generated by that request said TransUnion and Experian were unable to look up his credit score with the information provided. However, Equifax not only provided his current credit score, it helpfully corrected the false data I entered for Holden, providing the last four digits of his real SSN and current address.

“We assume our credit report is keyed off of our SSN or something unique about ourselves,” Mrs. Holden said. “But it’s really keyed off your White Pages information, meaning anyone can get your credit report if they are in the know.”

I was pleased to find that I was unable to pull my own credit score through this exposed online service, although the site still charged me $44. The report produced simply said the consumer in question had requested that access to this information be restricted. But the real reason was simply that I’ve had my credit file frozen for years now.

Many media outlets are publishing stories this week about the one-year anniversary of the breach at Equifax that exposed the personal and financial data on more than 147 million people. But it’s important for everyone to remember that as bad as the Equifax breach was (and it was a total dumpster fire all around), most of the consumer data exposed in the breach has been for sale in the cybercrime underground for many years on a majority of Americans — including access to consumer credit reports. If anything, the Equifax breach may have simply helped ID thieves refresh some of those criminal data stores.

It costs $35 worth of bitcoin through this cybercrime service to pull someone’s credit file from the three major credit bureaus. There are many services just like this one, which almost certainly abuse hacked accounts from various industries that have “legitimate” access to consumer credit reports.

Continue reading →


29
Aug 18

Instagram’s New Security Tools are a Welcome Step, But Not Enough

Instagram users should soon have more secure options for protecting their accounts against Internet bad guys.  On Tuesday, the Facebook-owned social network said it is in the process of rolling out support for third-party authentication apps. Unfortunately, this welcome new security offering does nothing to block Instagram account takeovers when thieves manage to hijack a target’s mobile phone number — an increasingly common crime.

New two-factor authentication options Instagram says it is rolling out to users over the next few weeks.

For years, security experts have warned that hackers are exploiting weak authentication at Instagram to commandeer accounts. Instagram has long offered users a security option to have a one-time code sent via text message to a mobile device, but these codes can be intercepted via several methods (more on that in a bit).

The new authentication offering requires users to download a third-party app like Authy, Duo or Google Authenticator, which generates a one-time code that needs to be entered after the user supplies a password.

In a blog post Tuesday, Instagram said support for third-party authenticator apps “has begun to roll out and will be available to the global community in the coming weeks.

Instagram put me on a whitelist of accounts to get an early peek at the new security feature, so these options probably aren’t yet available to most users. But there’s a screenshot below that shows the multi-factor options available in the mobile app. When these options do become more widely available, Instagram says people can use a third-party app to receive a one-time code. To do this:

  1. Go to your Settings.
  2. Scroll down and tap Two-Factor Authentication.
  3. If you haven’t already turned two-factor authentication on, tap Get Started.
  4. Tap next to Authentication App, then follow the on-screen instructions.
  5. Enter the confirmation code from the third party authentication app to complete the process.

Note that if you have previously enabled SMS-based authentication, it is likely still enabled unless and until you disable it. The app also prompts users to save a series of recovery codes, which should be kept in a safe place in case one’s mobile device is ever lost.

WHAT IT DOESN’T FIX

Instagram has received quite a lot of bad press lately from publications reporting numerous people who had their accounts hijacked even though they had Instagram’s SMS authentication turned on. The thing is, many of those stories have been about people having their Instagram accounts hijacked because fraudsters were able to hijack their mobile phone number.

In these cases, the fraudsters were able to hijack the Instagram accounts because Instagram allows users to reset their account passwords with a single factor — using nothing more than a text message sent to a mobile number on file. And nothing in these new authentication offerings will change that for people who have shared their mobile number with Instagram.

Criminals can and do exploit SMS-based password reset requests to hijack Instagram accounts by executing unauthorized “SIM swaps,” i.e., tricking the target’s mobile provider into transferring the phone number to a device or account they control and intercepting the password reset link sent via SMS. Once they hijack the target’s mobile number, they can then reset the password for the associated Instagram account.

I asked Instagram if there was any way for people who have supplied the company with their phone number to turn off SMS-based password reset requests. I received this response from their PR folks:

“I can confirm that disabling SMS two factor will not disable the ability to reset a password via SMS,” a spokesperson said via email. “We recommend that the community use a third-party app for authentication, in place of SMS authentication. We’ll continue to iterate and improve on this product to keep people safe on our platform.” Continue reading →


1
Aug 18

Reddit Breach Highlights Limits of SMS-Based Authentication

Reddit.com today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. As Web site breaches go, this one doesn’t seem too severe. What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security.

In a post to Reddit, the social news aggregation platform said it learned on June 19 that between June 14 and 18 an attacker compromised a several employee accounts at its cloud and source code hosting providers.

Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.

Of particular note is that although the Reddit employee accounts tied to the breach were protected by SMS-based two-factor authentication, the intruder(s) managed to intercept that second factor.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit disclosed. “We point this out to encourage everyone here to move to token-based 2FA.”

Reddit didn’t specify how the SMS code was stolen, although it did say the intruders did not hack Reddit employees’ phones directly. Nevertheless, there are a variety of well established ways that attackers can intercept one-time codes sent via text message.

In one common scenario, known as a SIM-swap, the attacker masquerading as the target tricks the target’s mobile provider into tying the customer’s service to a new SIM card that the bad guys control. A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

Another typical scheme involves mobile number port-out scams, wherein the attacker impersonates a customer and requests that the customer’s mobile number be transferred to another mobile network provider. In both port-out and SIM swap schemes, the victim’s phone service gets shut off and any one-time codes delivered by SMS (or automated phone call) get sent to a device that the attackers control. Continue reading →


#####EOF##### Time to Patch — Krebs on Security

Time to Patch


13
Mar 19

Patch Tuesday, March 2019 Edition

Microsoft on Tuesday pushed out software updates to fix more than five dozen security vulnerabilities in its Windows operating systems, Internet Explorer, Edge, Office and Sharepoint. If you (ab)use Microsoft products, it’s time once again to start thinking about getting your patches on. Malware or bad guys can remotely exploit roughly one-quarter of the flaws fixed in today’s patch batch without any help from users.

One interesting patch from Microsoft this week comes in response to a zero-day vulnerability (CVE-2019-0797) reported by researchers at Kaspersky Lab, who discovered the bug could be (and is being) exploited to install malicious software.

Microsoft also addressed a zero day flaw (CVE-2019-0808) in Windows 7 and Windows Server 2008 that’s been abused in conjunction with a previously unknown weakness (CVE-2019-5786) in Google’s Chrome browser. A security alert from Google last week said attackers were chaining the Windows and Chrome vulnerabilities to drop malicious code onto vulnerable systems.

If you use Chrome, take a moment to make sure you have this update and that there isn’t an arrow to the right of your Chrome address bar signifying the availability of new update. If there is, close out and restart the browser; it should restore whatever windows you have open on restart. Continue reading →


12
Feb 19

Patch Tuesday, February 2019 Edition

Microsoft on Tuesday issued a bevy of patches to correct at least 70 distinct security vulnerabilities in Windows and software designed to interact with various flavors of the operating system. This month’s patch batch tackles some notable threats to enterprises — including multiple flaws that were publicly disclosed prior to Patch Tuesday. It also bundles fixes to quash threats relevant to end users, including critical updates for Adobe Flash Player and Microsoft Office, as well as a zero-day bug in Internet Explorer.

Some 20 of the flaws addressed in February’s update bundle are weaknesses labeled “critical,” meaning Microsoft believes that attackers or malware could exploit them to fully compromise systems through little or no help from users — save from convincing a user to visit a malicious or hacked Web site.

Microsoft patched a bug in Internet Exploder Explorer (CVE-2019-0676) discovered by Google that attackers already are using to target vulnerable systems. This flaw could allow malware or miscreants to check for the presence of specific files on the target’s hard drive.

Another critical vulnerability that impacts both end users and enterprises is a weakness in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”). That flaw, CVE-2019-0626, could let an attacker execute malcode of his choice just by sending the target a specially crafted DHCP request.

At the top of the list of patch concerns mainly for companies is a publicly disclosed issue with Microsoft Exchange services (CVE-2019-0686) that could allow an attacker on the same network as the target to access the inbox of other users. Microsoft said it has not seen active exploitation of this bug yet, but considers it likely to be exploited soon. Continue reading →


9
Jan 19

Patch Tuesday, January 2019 Edition

Microsoft on Tuesday released updates to fix roughly four dozen security issues with its Windows operating systems and related software. All things considered, this first Patch Tuesday of 2019 is fairly mild, bereft as it is of any new Adobe Flash updates or zero-day exploits. But there are a few spicy bits to keep in mind. Read on for the gory details. Continue reading →


19
Dec 18

Microsoft Issues Emergency Fix for IE Zero Day

Microsoft today released an emergency software patch to plug a critical security hole in its Internet Explorer (IE) Web browser that attackers are already using to break into Windows computers.

The software giant said it learned about the weakness (CVE-2018-8653) after receiving a report from Google about a new vulnerability being used in targeted attacks.

Satnam Narang, senior research engineer at Tenable, said the vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.

“As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise,” Narang said. Continue reading →


11
Dec 18

Patch Tuesday, December 2018 Edition

Adobe and Microsoft each released updates today to tackle critical security weaknesses in their software. Microsoft’s December patch batch is relatively light, addressing more than three dozen vulnerabilities in Windows and related applications. Adobe has issued security fixes for its Acrobat and PDF Reader products, and has a patch for yet another zero-day flaw in Flash Player that is already being exploited in the wild.

At least nine of the bugs in the Microsoft patches address flaws the company deems “critical,” meaning they can be exploited by malware or ne’er-do-wells to install malicious software with little or no help from users, save for perhaps browsing to a hacked or booby-trapped site.

Microsoft patched a zero-day flaw that is already being exploited (CVE-2018-8611) and allows an attacker to elevate his privileges on a host system. The weakness, which is present on all supported versions of Windows, is tagged with the less severe “important” rating by Microsoft mainly because it requires an attacker to be logged on to the system first.

According to security firm Rapid7, other notable vulnerabilities this month are in Internet Explorer (CVE-2018-8631) and Edge (CVE-2018-8624), both of which Microsoft considers most likely to be exploited. Similarly, CVE-2018-8628 is flaw in all supported versions of PowerPoint which is also likely to be used by attackers. Continue reading →


14
Nov 18

Patch Tuesday, November 2018 Edition

Microsoft on Tuesday released 16 software updates to fix more than 60 security holes in various flavors of Windows and other Microsoft products. Adobe also has security patches available for Flash Player, Acrobat and Reader users.

As per usual, most of the critical flaws — those that can be exploited by malware or miscreants without any help from users — reside in Microsoft’s Web browsers Edge and Internet Explorer.

This week’s patch batch addresses two flaws of particular urgency: One is a zero-day vulnerability (CVE-2018-8589) that is already being exploited to compromise Windows 7 and Server 2008 systems.

The other is a publicly disclosed bug in Microsoft’s Bitlocker encryption technology (CVE-2018-8566) that could allow an attacker to get access to encrypted data. One mitigating factor with both security holes is that the attacker would need to be already logged in to the targeted system to exploit them.

Of course, if the target has Adobe Reader or Acrobat installed, it might be easier for attackers to achieve that log in. According to analysis from security vendor Qualys, there is now code publicly available that could force these two products to leak a hash of the user’s Windows password (which could then be cracked with open-source tools). A new update for Acrobat/Reader fixes this bug, and Adobe has published some mitigation suggestions as well. Continue reading →


11
Oct 18

Patch Tuesday, October 2018 Edition

Microsoft this week released software updates to fix roughly 50 security problems with various versions of its Windows operating system and related software, including one flaw that is already being exploited and another for which exploit code is publicly available.

The zero-day bug — CVE-2018-8453 — affects Windows versions 7, 8.1, 10 and Server 2008, 2012, 2016 and 2019. According to security firm Ivanti, an attacker first needs to log into the operating system, but then can exploit this vulnerability to gain administrator privileges.

Another vulnerability patched on Tuesday — CVE-2018-8423 — was publicly disclosed last month along with sample exploit code. This flaw involves a component shipped on all Windows machines and used by a number of programs, and could be exploited by getting a user to open a specially-crafted file — such as a booby-trapped Microsoft Office document.

KrebsOnSecurity has frequently suggested that Windows users wait a day or two after Microsoft releases monthly security updates before installing the fixes, with the rationale that occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out.

This month, Microsoft briefly paused updates for Windows 10 users after many users reported losing all of the files in their “My Documents” folder. The worst part? Rolling back to previous saved versions of Windows prior to the update did not restore the files. Continue reading →


9
Oct 18

Naming & Shaming Web Polluters: Xiongmai

What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act? If ever there were a technology giant that deserved to be named and shamed for polluting the Web, it is Xiongmai — a Chinese maker of electronic parts that power a huge percentage of cheap digital video recorders (DVRs) and Internet-connected security cameras.

A rendering of Xiongmai’s center in Hangzhou, China. Source: xiongmaitech.com

In late 2016, the world witnessed the sheer disruptive power of Mirai, a powerful botnet strain fueled by Internet of Things (IoT) devices like DVRs and IP cameras that were put online with factory-default passwords and other poor security settings.

Security experts soon discovered that a majority of Mirai-infected devices were chiefly composed of components made by Xiongmai (a.k.a. Hangzhou Xiongmai Technology Co., Ltd.) and a handful of other Chinese tech firms that seemed to have a history of placing product market share and price above security.

Since then, two of those firms — Huawei and Dahua — have taken steps to increase the security of their IoT products out-of-the-box. But Xiongmai — despite repeated warnings from researchers about deep-seated vulnerabilities in its hardware — has continued to ignore such warnings and to ship massively insecure hardware and software for use in products that are white-labeled and sold by more than 100 third-party vendors.

On Tuesday, Austrian security firm SEC Consult released the results of extensive research into multiple, lingering and serious security holes in Xiongmai’s hardware.

SEC Consult said it began the process of working with Xiongmai on these problems back in March 2018, but that it finally published its research after it became clear that Xiongmai wasn’t going to address any of the problems.

“Although Xiongmai had seven months notice, they have not fixed any of the issues,” the researchers wrote in a blog post published today. “The conversation with them over the past months has shown that security is just not a priority to them at all.”

PROBLEM TO PROBLEM

A core part of the problem is the peer-to-peer (P2P) communications component called “XMEye” that ships with all Xiongmai devices and automatically connects them to a cloud network run by Xiongmai. The P2P feature is designed so that consumers can access their DVRs or security cameras remotely anywhere in the world and without having to configure anything.

The various business lines of Xiongmai. Source: xiongmaitech.com

To access a Xiongmai device via the P2P network, one must know the Unique ID (UID) assigned to each device. The UID is essentially derived in an easily reproducible way using the device’s built-in MAC address (a string of numbers and letters, such as 68ab8124db83c8db).

Electronics firms are assigned ranges of MAC address that they may use, but SEC Consult discovered that Xiongmai for some reason actually uses MAC address ranges assigned to a number of other companies, including tech giant Cisco Systems, German printing press maker Koenig & Bauer AG, and Swiss chemical analysis firm Metrohm AG.

SEC Consult learned that it was trivial to find Xiongmai devices simply by computing all possible ranges of UIDs for each range of MAC addresses, and then scanning Xiongmai’s public cloud for XMEye-enabled devices. Based on scanning just two percent of the available ranges, SEC Consult conservatively estimates there are around 9 million Xiongmai P2P devices online.

[For the record, KrebsOnSecurity has long advised buyers of IoT devices to avoid those advertise P2P capabilities for just this reason. The Xiongmai debacle is yet another example of why this remains solid advice].

BLANK TO BANK

While one still needs to provide a username and password to remotely access XMEye devices via this method, SEC Consult notes that the default password of the all-powerful administrative user (username “admin”) is blank (i.e, no password).

The admin account can be used to do anything to the device, such as changing its settings or uploading software — including malware like Mirai. And because users are not required to set a secure password in the initial setup phase, it is likely that a large number of devices are accessible via these default credentials.

The raw, unbranded electronic components of an IP camera produced by Xiongmai.

Even if a customer has changed the default admin password, SEC Consult discovered there is an undocumented user with the name “default,” whose password is “tluafed” (default in reverse). While this user account can’t change system settings, it is still able to view any video streams.

Normally, hardware devices are secured against unauthorized software updates by requiring that any new software pushed to the devices be digitally signed with a secret cryptographic key that is held only by the hardware or software maker. However, XMEye-enabled devices have no such protections.

In fact, the researchers found it was trivial to set up a system that mimics the XMEye cloud and push malicious firmware updates to any device. Worse still, unlike with the Mirai malware — which gets permanently wiped from memory when an infected device powers off or is rebooted — the update method devised by SEC Consult makes it so that any software uploaded survives a reboot. Continue reading →


11
Sep 18

Patch Tuesday, September 2018 Edition

Adobe and Microsoft today each released patches to fix serious security holes in their software. Adobe pushed out a new version of its beleaguered Flash Player browser plugin. Redmond issued updates to address at least 61 distinct vulnerabilities in Microsoft Windows and related programs, including several flaws that were publicly detailed prior to today and one “zero-day” bug in Windows that is already being actively exploited by attackers.

As per usual, the bulk of the fixes from Microsoft tackle security weaknesses in the company’s Web browsers, Internet Explorer and Edge. Patches also are available for Windows, Office, Sharepoint, and the .NET Framework, among other components.

Of the 61 bugs fixed in this patch batch, 17 earned Microsoft’s “critical” rating, meaning malware or miscreants could use them to break into Windows computers with little or no help from users.

The zero-day flaw, CVE-2018-8440, affects Microsoft operating systems from Windows 7 through Windows 10 and allows a program launched by a restricted Windows user to gain more powerful administrative access on the system. It was first publicized August 27 in a (now deleted) Twitter post that linked users to proof-of-concept code hosted on Github. Since then, security experts have spotted versions of the code being used in active attacks.

According to security firm Ivanti, prior to today bad guys got advance notice about three vulnerabilities in Windows targeted by these patches. The first, CVE-2018-8457, is a critical memory corruption issue that could be exploited through a malicious Web site or Office file. CVE-2018-8475 is a critical bug in most supported versions of Windows that can be used for nasty purposes by getting a user to view a specially crafted image file. The third previously disclosed flaw, CVE-2018-8409, is a somewhat less severe “denial-of-service” vulnerability. Continue reading →


23
Aug 18

Experts Urge Rapid Patching of ‘Struts’ Bug

In September 2017, Equifax disclosed that a failure to patch one of its Internet servers against a pervasive software flaw — in a Web component known as Apache Struts — led to a breach that exposed personal data on 147 million Americans. Now security experts are warning that blueprints showing malicious hackers how to exploit a newly-discovered Apache Struts bug are available online, leaving countless organizations in a rush to apply new updates and plug the security hole before attackers can use it to wriggle inside.

On Aug. 22, the Apache Software Foundation released software updates to fix a critical vulnerability in Apache Struts, a Web application platform used by an estimated 65 percent of Fortune 100 companies. Unfortunately, computer code that can be used to exploit the bug has since been posted online, meaning bad guys now have precise instructions on how to break into vulnerable, unpatched servers.

Attackers can exploit a Web site running the vulnerable Apache Struts installation using nothing more than a Web browser. The bad guy simply needs to send the right request to the site and the Web server will run any command of the attacker’s choosing. At that point, the intruder could take any number of actions, such as adding or deleting files, or copying internal databases.

An alert about the Apache security update was posted Wednesday by Semmle, the San Francisco software company whose researchers discovered the bug.

“The widespread use of Struts by leading enterprises, along with the proven potential impact of this sort of vulnerability, illustrate the threat that this vulnerability poses,” the alert warns.

“Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” wrote Semmle co-founder Pavel Avgustinov. “A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.” Continue reading →


#####EOF##### Canadian Police Raid ‘Orcus RAT’ Author — Krebs on Security

02
Apr 19

Canadian Police Raid ‘Orcus RAT’ Author

Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.

An advertisement for Orcus RAT.

As first detailed by KrebsOnSecurity in July 2016, Orcus is the brainchild of John “Armada” Rezvesz, a Toronto resident who until recently maintained and sold the RAT under the company name Orcus Technologies.

In an “official press release” posted to pastebin.com on Mar. 31, 2019, Rezvesz said his company recently was the subject of an international search warrant executed jointly by the Royal Canadian Mounted Police (RCMP) and the Canadian Radio-television and Telecommunications Commission (CRTC).

“In this process authorities seized numerous backup hard drives [containing] a large portion of Orcus Technologies business, and practices,” Rezvesz wrote. “Data inclusive on these drives include but are not limited to: User information inclusive of user names, real names, financial transactions, and further. The arrests and searches expand to an international investigation at this point, including countries as America, Germany, Australia, Canada and potentially more.”

Reached via email, Rezvesz declined to say whether he was arrested in connection with the search warrant, a copy of which he shared with KrebsOnSecurity. In response to an inquiry from this office, the RCMP stopped short of naming names, but said “we can confirm that our National Division Cybercrime Investigative Team did execute a search warrant at a Toronto location last week.”

The RCMP said the raid was part of an international coordinated effort with the Federal Bureau of Investigation and the Australian Federal Police, as part of “a series of ongoing, parallel investigations into Remote Access Trojan (RAT) technology. This type of malicious software (malware) enables remote access to Canadian computers, without their users’ consent and can lead to the subsequent installation of other malware and theft of personal information.”

“The CRTC executed a warrant under Canada’s Anti-Spam Legislation (CASL) and the RCMP National Division executed a search warrant under the Criminal Code respectively,” reads a statement published last week by the Canadian government. “Tips from international private cyber security firms triggered the investigation.”

Rezvesz maintains his software was designed for legitimate use only and for system administrators seeking more powerful, full-featured ways to remotely manage multiple PCs around the globe. He’s also said he’s not responsible for how licensed customers use his products, and that he actively kills software licenses for customers found to be using it for online fraud.

Yet the list of features and plugins advertised for this RAT includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

“It can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process,” wrote researchers at security firm Fortinet in a Dec. 2017 analysis of the RAT. “This makes it harder for targets to remove it from their systems. These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.”

As KrebsOnSecurity noted in 2016, in conjunction with his RAT Rezvesz also sold and marketed a bulletproof “dynamic DNS service” that promised not to keep any records of customer activity.

Rezvesz appears to have a flair for the dramatic, and has periodically emailed this author over the years. Sometimes, the missives were taunting, or vaguely ominous and threatening. Like the time he reached out to say he was hiring a private investigator to find and track me. Still other unbidden communications from Rezvesz were friendly, even helpful with timely news tips.

According to Rezvesz himself, he is no stranger to the Canadian legal system. In June 2018, Rezvesz shared court documents indicating he has been involved in multiple physical assault charges since 2007, including “7 domestic disputes between partners as well as incidents with his parents.”

“I am not your A-typical computer geek, Brian,” he wrote in a 2018 email. “I tend to have a violent nature, and have both Martial arts and Military training. So, I suppose it is really good that I took your article with a grain of salt instead of actually really getting upset.”

The sale and marketing of remote administration tools is not illegal in the United States, and indeed there are plenty of such tools sold by legitimate companies to help computer experts remotely administer computers.

However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.

Last year, a 21-year-old Kentucky man pleaded guilty to authoring and distributing a popular hacking tool called “LuminosityLink,” which experts say was used by thousands of customers to gain access to tens of thousands of computers across 78 countries worldwide.

Also in 2018, 27-year-old Arkansas resident Taylor Huddleston was sentenced to three years in jail for making and selling the “NanoCore RAT,” which was being used to spy on webcams and steal passwords from systems running the software.

In many previous law enforcement investigations targeting RAT developers and sellers, investigators also have targeted customers of these products. In 2014, the U.S. Justice Department announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a cheap and powerful RAT that the U.S. government said was used to infect more than a half million computers worldwide.

Earlier this year, Rezvesz posted on Twitter that he was making the source code for Orcus RAT publicly available, and focusing his attention on developing a new and improved RAT product.

Meanwhile on Hackforums[.]net — the forum where Orcus was principally advertised and sold — members and customers expressed concern that authorities would soon be visiting Orcus RAT customers, posts that were deleted almost as quickly by the Hackforums administrator.

As if in acknowledgement of that concern, in the Pastebin press release published this week Rezvesz warned people away from using Orcus RAT, and added some choice advice for others who would follow his path.

“Orcus is no longer to be considered safe or secure solution to Remote Administrative needs,” he wrote, pointing to a screenshot of a court order he says came from one of the police investigators, which requires him to abstain from accessing Hackforums or Orcus-related sites. “Please move away from this software without delay. It has been a pleasure getting to know everyone in my time online, and I hope you all can take my words as a life lesson. Stay safe, don’t do stupid shit.”

Tags: , ,

40 comments

  1. Sascha A. Carlin

    What still makes we wonder is why we have not seen hardware manufacturers finally putting an end to abuse of webcams and made sure, hardware-wise, that such cameras cannot be active without their indicators, well, indicating that they are.

    I guess I am missing something important here. Can somebody please point me to it?

    • It seems so obvious that the power going to the webcam should be the same power source that lights the LED indicator – so that it’s electrically impossible for the webcam to be on without the LED also being on. Instead, manufacturers control the LED indicator with firmware, which, as we have seen, can be disabled maliciously. No one is holding device manufacturers responsible for user privacy.

      • There is one problem with that idea…the fact that doing it that way would require the LED and the camera to have identical power requirements, which they do not. (Not even close, looking at options for cameras at DigiKey…)

        So, as a result, they need separate (and different) power feeds, each of which requires their own control. Sure, you could use a relay…a solid-state relay would be the smallest option. But it would still require your laptop lid to be nearly half an inch thick to accommodate it. And thus that power switching control ends up being done via software because, well, people like thin laptops, not thick ones.

        • You wouldn’t need a SSR. Just one mosfet doing low side switching for the LED, or a BJT and a resistor in series with the base.

          Look for my post on Steve Gibson’s podcast.

        • All you need is a physical switch for both the mic and camera. Switch it off, and neither the mic and camera are capable of being turned on. Thats it, thats all. It can be done with a pretty small switch with 2 separate power cables for each device.

          • Physical switches cost money. The device manufacturer has to test them with some sort of physical device to move the switch, or a person.

            A shutter on the camera might be cheaper.

    • I can somewhat explain this. The camera needs firmware. To keep things cheap, there is no programmable memory in the camera to hold the firmware. Rather the OS driver is what uploads the firmware. So the hacker changes the driver in a manner to allow the rat to not turn on the light.

      The “why” is only something I can guess. I suppose one reason is to save the couple of milliamps it takes to drive the LED. Not an issue in a notebook, but the camera module could be used in other applications.

      This was discussed on TWIT’s “security now”. I ran a few searches using site:grc.com since Steve Gibson has show transcripts, but I can’t find the episode where this was discussed. Doing a search on RAT itself was a shocker since the website turns out to have medical research on it!

        • Close and much thanks. Those are the show notes. This is a transcript of the podcast.
          https://www.grc.com/sn/sn-437.htm

          My recollection was reasonably good. What is missed is they leave the camera in standby. I don’t follow why that is done other than I assume to get the camera working as fast as possible.

          So the camera is in standby with the LED off. But standby probably means don’t put the data on the USB bus. The hacker has other ideas.

          At one time Apple used the camera to determine ambient light, which in turn would be used to adjust the display backlight. That would be a case where you surely needed the camera operating but bit really on. All modern notebooks have a simple light sensor, totally independent of the camera.

      • Gary, a question.

        I do not use the laptop’s built in camera, but an accessory one connected via USB to the machine. If I Skype and the accessory one is not plugged in I do not get a picture (i.e. the machine does not shift to the built in camera).
        Can I assume that no one from the outside can utilize the built in one?

        • Nope.

          Skype has a Video Options menu. Select it, then Source. You may see that two or more camera sources are available, for example, built in and plugged in.

          Let’s say you selected the plugged in camera, then unplugged it. Skype won’t try the built in camera until you select it. That’s why it appears that no picture is present.

          But Skype’s selective blindness doesn’t mean the built in camera is off or inaccessible to other programs, including a remote access tool (RAT) or any other spyware.

          Your best defense against unwanted surveillance is to put a bit of black electrical tape over the built in camera and avoid talking in the presence of the built in microphone. The second best defense is to keep your laptop’s operating system up to date, to avoid spyware altogether.

  2. In the previous RAT cases, I recall that the authorities had evidence of the RAT authors actively involved in helping customers deploy and use the RAT for illegal purposes.

    I don’t think we’ve seem a prosecution based only on the RAT features that facilitate illegal activity. That would be a hard case to prosecute.

    • Right. Hence, this part from the story:

      “However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.”

      • Frank Ch. Eigler

        “tend to be viewed by prosecutors”

        … but such views are not the law. The production & distribution of dual-use things is almost always protected by law.

        • I agree, this is not how the law works.

          • ChrisSuperPogi

            I guess this explains why it took them this long to arrest the author…

            I was under the impression that he would’ve been arrested back in ’15/16 when the evidence of its nefarious use was discovered…

            Just my thoughts…

          • Blanche Dubois

            “but such views are not the law”?
            “not how the way the law works”?
            Is your legal adviser a Hollywood movie?

            What makes you think that Rezvesz only has 1-2 “criminal computer activity” charges to worry about now?
            His inconvenience started the moment the magistrate signed the search warrant.

            The entire address is subject to search and confiscation, to be perused at leisure by police. If other crimes are also discovered, or subsequently discovered, more warrants will flow. It will be charge pile-on time.

            And best, Mr. Resvesz has no idea what other evidence the police of at least 3 nations have on him.

            Mr. Rezvesz could help all those fighting daily malware, by lying to police, now or during future interviews, on any subject.
            Messrs. Michael Flynn and Michael Cohen can now write short true stories about doing that.

            We’ll learn how “tough” Mr. Rezvesz really is.

            • If he knows he’s committed certain crimes, which he would have to assuming he did in fact commit crimes, then he knows exactly what evidence they could have on him. Evidence of potentially every single crime he committed.

      • I own firearms. Firearms I use for hunting, target competitions, self-defense, and to revolt against tyranny as is my constitutional right in the USA. I’ll bet Venezuelans regret giving theirs up now, in fact, they have said so. Firearms can also be used in violent crime. Should I be searched then? My firearms confiscated for pre-crime? Some “authorities” might think so. How about firearms manufacturers? Should they all be investigated? Are we all guilty until proven innocent?
        Don’t mistake me: this guy sounds like a bad actor, but a line may have been crossed by the authorities as well.

    • Strange features are probably hard to prove alone, but probably do enhance a prosecutor’s argument, particularly for the features that serve no purpose except for malice.

      The one that hugely stands out to me from the linked list is the “let it burn” feature, which literally has no purpose except to mess with the desktop of the affected user. There’s no legitimate remote administrative tool with this sort of feature.

      Similar can be said with “password recovery from famous applications” – this would fall afoul of any IT best practices about security (or even mediocre IT practices about security), and would never be included in any legitimate remote administrative tool.

      • Password recovery is common on remote admin tools. Hirens boot CD has had it for ages. It is useful for unlocking a local admin account on a machine that has lost connection to its domain, and becomes necessary when an admin inherits a domain that is not properly documented.

        • Well, I’ll start by saying rescue CDs are different than RATs. 🙂

          From what I know, OS manufacturers tend to frown on these “password recovery” tools in these rescue CDs (I know some admins use them, but some are “gray hat” in nature). The official Microsoft approach for instance is to create a password reset disk which, if you forget your password, you can use to reset it. Discussion of resetting local passwords is limited on many support forums (eg BleepingComputer) due to the difficulty of determine whether the requester of this support is the legitimate owner.

          Many remote administration tools do have the ability to manage local administrative accounts or domain accounts (including passwords). But we are talking about passwords stored in applications like browsers here. These are passwords that quite often do not fall under an administrator’s domain. Why would an admin need to remotely look at potentially sensitive user data that does not necessarily fall under their scope? They don’t need to. Hackers on the other hand would love potentially sensitive login information.

  3. The Sunshine State

    “. “I tend to have a violent nature, and have both Martial arts and Military training”

    His one of those internet tough guy hiding behind a keyboard and mouse, using intimation to manipulate and spread false fear.

  4. Threatening someone and leaving a paper trail. This guy is not very bright. With an ego that huge, I don’t think he is capable of stealing a pack of gum from the local market without everyone knowing about it.

    • I had the same reaction. . . He stored his business records and contacts on site. I wonder if he even went to the trouble of encrypting them? I suspect that the RCMP et al. scored a treasure trove of information. Good for them!

  5. Seems like an edgelord on steroids.

    His profile pictures and ego come together for one of the more cringeworthy personas I have seen in a while.

    Best part is that you know he will read these comments. I’m just left wondering where he is hiding his Katanas and fedoras.

  6. The only time RCMP prosecutes cyber crime is when the FBI phones them and says “let us fill out that warrant application for you.”

    They have 200+ people “investigating” cyber crime (depending on what source you believe) and next to zero prosecutions.

  7. I bet those “legitimate users” of his “software” are now s__ting their pants knowing that their “real” names (according to that sleazeball) are in the hands of Canadian police 🙂

    Also when will those “legal” malware paddlers learn that you can’t do this from a Western country. You need to do it having a server in Russia or a similar country.

  8. So where is Sorzus in all of this?

  9. He did nothing wrong. The customers should be responsible for their own actions. Fuck the police.

  10. The story needs a phonetic guide to the suspect’s name.

    And an update if/when there’s an arrest.

    Interesting case.

    Canadian judges can prohibit an individual from accessing particular websites, before an arrest or conviction or even an evidentiary hearing on the websites’ content?

  11. CHC of Asheville

    Question: does switching off “Allow Remote Connections” in Windows have any effect on one’s vulnerability — or does the malware just switch this setting to True if it isn’t true already?

    • CHC of Asheville,

      Malware/RATs does not care about this setting. Setting it to False will not stop malware. Malware/RATs does not need to set it to True to operate in their full capacity.

      They do need to use Windows built remote desktop abilities to operate in a “remote desktop” capacity. As such the aforementioned option will not protect you. However, you should have it set to False regardless (unless you have a legitimate use for it).

      Protect your computer by using making sure you have windows defender enabled, ideally with another antivirus or antimalware solution on top of it such as Malwarebytes, ESET, Kaspersky, Bit Defender, etc. Everyone has their opinions on which is best.

      Thanks

  12. Bound to Happen

    You’re giving him way too much credit. Sorzus was the real author, not John “Armada” Rezvesz. Armada couldn’t even code.

  13. That’s messed up that he used the bitcoin logo in his ad. For shame.

Leave a comment


#####EOF##### The Scrap Value of a Hacked PC, Revisited — Krebs on Security

15
Oct 12

The Scrap Value of a Hacked PC, Revisited

A few years back, when I was a reporter at The Washington Post, I put together a chart listing the various ways that miscreants can monetize hacked PCs. The project was designed to explain simply and visually to the sort of computer user who can’t begin to fathom why miscreants would want to hack into his PC. “I don’t bank online, I don’t store sensitive information on my machine! I only use it to check email. What could hackers possibly want with this hunk of junk?,” are all common refrains from this type of user.

I recently updated the graphic (below) to include some of the increasingly prevalent malicious uses for hacked PCs, including hostage attacks — such as ransomware — and reputation hijacking on social networking forums.

Next time someone asks why miscreants might want to hack his PC, show him this diagram.

One of the ideas I tried to get across with this image is that nearly every aspect of a hacked computer and a user’s online life can be and has been commoditized. If it has value and can be resold, you can be sure there is a service or product offered in the cybercriminal underground to monetize it. I haven’t yet found an exception to this rule.

By way of example, consider the point-and-click tools pictured below, which are offered on several fraud forums by one enterprising young miscreant. This guy makes and markets dozens of account checking tools that are used to test the validity and status of many popular online stores and services, including Amazon, American Express, eBay, Facebook, iTunes, PayPal and Skype, to name a few.

Account checking tools sold on the cybercriminal underground by one vendor.

Principally, I see the hacked PC graphic as a way to capture the average user’s attention and imagination. Hopefully, these folks can then be guided toward some simple steps to keeping their machine from getting hacked. I’m building a running list of applications, simple tools and tips that can help on this front, available here.

Tags:

28 comments

  1. Good work (as always)!

    Would you allow a german translation (at least of the picture), that then will be published on a non-commercial blog?

    Greetings

    Thomas Wallutis

  2. GREAT INFO!!!!
    This is a handy-dandy visual that should capture a lot of folk’s attention.
    And yes, you are definitely correctly in the mentality of folks who make those kinds of comments – they still generate a lot of information without realizing it.
    These people are only thinking of the moment and not down the road holistically as to what they do on their PC (or Apple, or UNIX or etc…).

  3. Great diagram Brian. I’d also add some other uses for a hacked server in support of criminal infrastructure. IRC server or bot for an oldie but a goodie, proxy box, malware C&C, drop-box location, DNS server, etc. Lots of great uses for those CPU cycles.

    Rod

  4. In your “Tools for a Safer PC” list you mention that only one program you know is designed to run alongside other Virus software. A program I have used a ton and found very effective is Hitman Pro, and it is also designed to run alongside other virus programs. It leverages the cloud to utilize multiple virus databases and I’ve found it also works for several rootkits such as TDSS and TDL4 that other apps miss. I’ve used it several times on my computers and found it works really well.

  5. Great graphic, thanks. What kind of reuse license is associated with the graphic? I’d like to send it to management.

  6. I would recommend Qualys Browser Check too, which checks for missing patches and other common issues. Install the addon to scan in depth, and to scan your other installed browsers. Or scan without the addon and it will audit just your current browser for security issues via information it leaks to all websites. Their FAQ says they support Mac and Linux too, but I’ve only tried it on Windows and Android.

  7. You may want to also add espionage, sabotage, and eavesdropping as possible uses, especially when thinking about Flame and its use in the Middle East.

  8. What is “CAPTCHA solving zombie” exactly?

    Since I use various automated processes in marketing efforts I’m familiar with outsourcing – Death by Captcha and many other services – and external applications – Captcha Sniper and Xrumer “bridge” method – to solve captchas. Is this what you’re referring to?

    It would make sense particuarly for solving ReCaptcha using Xrumer: this often takes many attempts and more or less as much CPU time as you can throw at it.

    I hear (but don’t have access to or anything other than rumours to go on) that there are private or semi-private captcha solving applications out there that are kept private to combat captcha providers reacting to them.

  9. Syllogism:
    1. If security of my PC was a big problem, I’d have to do a lot of work to prevent it.

    2. I don’t want to have to do a lot of work.

    Ergo:

    Obviously the security of my PC is not a big problem. Otherwise I’d have fixed that a long time ago…

    • Funny, but blatant truth is there are vegetative life-forms of ignorant and/or brainless meatballs out there simply too stupid for information society. Some call that evolution. Bizarre twist: they know they’re failing… Ergo: no need to worry about. 🙁

  10. Great article. Thanks.

    Want to point out though that the HTTPS version of your page has insecure content (actually a friend spotted). Would be good to fix that, because it might encourage people still learning about security to trust mixed content sites more than they should.

    Cheers, David.

  11. Brian: In your “Tools for a Safer PC”. You mention turning of JavaScript. I’m pretty sure you mean Java, don’t you? You’ve always spoke out against Java, not JavaScript (which has nothing to do with Java).

    • Please read the JavaScript passage again; in the second to last paragraph Brian points out: “Please note that Java and Javascript are two very different things.” – So yes, he’s taking about JavaScript there, but he didn’t suggest to turn JavaScript off…

      • Yeah, the part about JavaScipt and Java being different that he mentioned I missed somehow (I scanned over the article too quickly). But he does say:

        “But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.”

        Which seems to be suggesting to turn JavaScript off. Though you can do this, running software like NoScript is not something for anything but experienced users to do. There are far too many scripting options that come up and it is probably not obvious to most users, even sometimes advanced ones, that JavaScript has changed a site making it hard or impossible to use (most menus are JavaScript based, for example). I’ve used NoScript myself for a month or two and just ended up finding it more of a nuisance than anything.

        I’m a computer teacher and I recognize what people can and will do. This isn’t a recommendation I’d agree with (turning JavaScript off by default and selectively turning it on) except possibly for advanced users. And even then, it makes using the web a lot more unpleasant.

  12. I’m curious about whether the owner of an unsecured PC is, in the jurisdictions of our various countries, liable if it is used to commit fraud. I’d hope that a PC owner who didn’t take “reasonable” (using a word seemingly beloved by the law) security precautions would be considered partly responsible. I gather that this is generally the case in English law, though I don’t know about the specific case of a unsecured or improperly maintained PC.

    • Yes, in India the liability of the owner of the compromised system or network has been enshrined in the IT Act. As you said, the phrase “Reasonable Precautions” also finds mention here.

    • Even if they aren’t held personally liable, it is rare that someone with a pc is not going to have any personal info on it… The folks who fail to take any precautions and let themselves get extremely infected likely find their bank accounts bled dry and identity theft problems that more than make up for the problem.

      It might not happen to all of them but I’d hate to take my chances on it.

  13. It’s an excellent question. Seems like it would be hard to prove the PC owner knew that something illegal was happening.

    • Knowingly or not the source is liable for every avoidable threat negligently caused to others in my world. .oO(In most cases that leads us to a company with a strange sense of justice and responsibility in Redmond, Washington, U.S. :roll:)

  14. Hi, may the picture be republished on commercial site, with link to the permalink of the original post?

  15. You might want to update it with Bitcoin wallet harvesting. This assumes that the user has not bothered to encrypt it, or has used a weak password allowing the attackers time to crack it.

  16. Good info. Reminds me of a former employer a few years ago, a small business (non-computer related) whose owner didn’t believe in using a simple firewall for their Internet connection and didn’t have any concern in securing the half dozen PC’s they used. His mentality was that there was nothing of importance on the PC’s and that no one would be trying to break into them from the Internet anyway. I carefully explained to him the threats at hand (like in the diagram) and offered my assistance to secure things. Sadly, end of the story, nothing was ever done. Shortly thereafter I left that job partly because of that. The ignorance out there is astounding at times.

  17. Can I do an italian language version of your graphic? (maybe a more attractive, less schematic one) ?

  18. … Bitcoin Mining…


#####EOF##### A Little Sunshine — Krebs on Security

A Little Sunshine


22
Mar 19

Alleged Child Porn Lord Faces US Extradition

In 2013, the FBI exploited a zero-day vulnerability in Firefox to seize control over a Dark Web network of child pornography sites. The alleged owner of that ring – 33-year-old Freedom Hosting operator Eric Eoin Marques – was arrested in Ireland later that year on a U.S. warrant and has been in custody ever since. This week, Ireland’s Supreme Court cleared the way for Marques to be extradited to the United States.

Eric Eoin Marques. Photo: Irishtimes.com

The FBI has called Marques the world’s largest facilitator of child porn. He is wanted on four charges linked to hidden child porn sites like “Lolita City” and “PedoEmpire,” which the government says were extremely violent, graphic and depicting the rape and torture of pre-pubescent children. Investigators allege that sites on Freedom Hosting had thousands of customers, and earned Marques more than $1.5 million.

For years Freedom Hosting had developed a reputation as a safe haven for hosting child porn. Marques allegedly operated Freedom Hosting as a turnkey solution for Web sites that hide their true location using Tor, an online anonymity tool.

The sites could only be accessed using the Tor Browser Bundle, which is built on the Firefox Web browser. On Aug. 4, 2013, U.S. federal agents exploited a previously unknown vulnerability in Firefox version 17 that allowed them to identify the true Internet addresses and computer names of people using Tor Browser to visit the child porn sites at Freedom Hosting.

Irish public media service RTE reported in 2013 that Marques briefly regained access to one of his hosting servers even after the FBI had seized control over it and changed the password, briefly locking the feds out of the system.

As Wired.com observed at the time, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”

Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. FBI investigators told the courts they feared he would try to destroy evidence and/or flee the country. FBI agents testified that Marques had made inquiries about how to get a visa and entry into Russia and set up residence and citizenship there. Continue reading →


21
Mar 19

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.

Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.

Continue reading →


17
Mar 19

Why Phone Numbers Stink As Identity Proof

Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.

“As a consumer, I’m forced to use my phone number as an identity document, because sometimes that’s the only way to do business with a site online,” Nixon said. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me. And there’s nothing anyone can do to stop it except to stop using phone numbers as identity documents.”

Beyond SIM-swapping attacks, there are a number of ways that phone numbers can get transferred to new owners, Nixon said. The biggest reason is lack of payment for past phone bills. But maybe someone goes through a nasty divorce or separation, and can no longer access their phone or phone accounts. The account is sent to collections and closed, and the phone number gets released back into the general pool for reassignment after a period of time.

Many major providers still let people reset their passwords with just a text message. Last week I went to regain access to a Yahoo account I hadn’t used in almost five years. Yahoo’s forgot password feature let me enter a phone number, and after entering a code sent to my phone I was able to read my email.

So, if that Yahoo account is tied to a mobile number that you can receive text messages at, then you can assume control over the account. And every other account associated with that Yahoo account. Even if that phone number no longer belongs to the person who originally established the email account.

This is exactly what happened recently to a reader who shared this account:

A while ago I bought a new phone number. I went on Yahoo! mail and typed in the phone number in the login. It asked me if I wanted to receive an SMS to gain access. I said yes, and it sent me a verification key or access code via SMS. I typed the code I received. I was surprised that I didn’t access my own email, but the email I accessed was actually the email of the previous owner of my new number.

Yahoo! didn’t even ask me to type the email address, or the first and last name. It simply sent me the SMS, I typed the code I received, and without asking me to type an email or first and last name, it gave me access to the email of my number’s PREVIOUS OWNER. Didn’t ask for credentials or email address. This seriously needs to be revised. At minimum Yahoo! should ask me to type the email address or the first and last name before sending me an SMS which contains an access code.

Brian Krebs (BK): You have your own experiences like this. Or sort of. You tell.

Allison Nixon (AN): Any threat intelligence company will have some kind of business function that requires purchasing burner phones fairly frequently, which involves getting new phone numbers. When you get new numbers, they are recycled from previous owners because there probably aren’t any new ones anymore. I get a lot of various text messages for password resets. One I kept getting was texts from this guy’s bank. Every time he got a deposit, I would get a text saying how much was deposited and some basic information about the account.

I approached the bank because I was concerned that maybe this random person would be endangered by the security research we were going to be doing with this new number. I asked them to take him off the number, but they said there wasn’t anything they could do about it.

One time I accidentally hijacked a random person’s account. I was trying to get my own account back at an online service provider, and I put a burner phone number into the site, went through the SMS password reset process, got the link and it said ‘Welcome Back’ to some username I didn’t know. Then I clicked okay and was suddenly reading the private messages of the account.

I realized I’d hijacked the account of the previous owner of the phone. It was unintentional, but also very clear that there was no technical reason I couldn’t hijack even more accounts associated with this number. This is a problem affecting a ton of service providers. This could have happened at many, many other web sites. Continue reading →


8
Mar 19

MyEquifax.com Bypasses Credit Freeze PIN

Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.

Consumers in every U.S. state can now freeze their credit files for free with Equifax and two other major bureaus (Trans Union and Experian). A freeze makes it much harder for identity thieves to open new lines of credit in your name.

In the wake of Equifax’s epic 2017 data breach impacting some 148 million Americans, many people did freeze their credit files at the big three in response. But Equifax has changed a few things since then.

Seeking to manage my own credit freeze at equifax.com as I’d done in years past, I was steered toward creating an account at myequifax.com, which I was shocked to find I did not previously possess.

Getting an account at myequifax.com was easy. In fact, it was too easy. The portal asked me for an email address and suggested a longish, randomized password, which I accepted. I chose an old email address that I knew wasn’t directly tied to my real-life identity.

The next page asked me enter my SSN and date of birth, and to share a phone number (sharing was optional, so I didn’t). SSN and DOB data is widely available for sale in the cybercrime underground on almost all U.S. citizens. This has been the reality for years, and was so well before Equifax announced its big 2017 breach.

myEquifax said it couldn’t verify that my email address belonged to the Brian Krebs at that SSN and DOB. It then asked a series of four security questions — so-called “knowledge-based authentication” or KBA questions designed to see if I could recall bits about my recent financial history.

In general, the data being asked about in these KBA quizzes is culled from public records, meaning that this information likely is publicly available in some form — either digitally or in-person. Indeed, I have long assailed the KBA industry as creating a false sense of security that is easily bypassed by fraudsters.

One potential problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

The first three multiple-guess questions myEquifax asked were about loans or debts that I have never owed. Thus, the answer to the first three KBA questions asked was, “none of the above.” The final question asked for the name of our last mortgage company. Again, information that is not hard to find.

Satisfied with my answers, Equifax informed me that yes indeed I was Brian Krebs and that I could now manage my existing freeze with the company. After requesting a thaw, I was brought to a vintage Equifax page that looked nothing like myEquifax’s sunnier new online plumage.

Equifax’s site says it will require users requesting changes to an existing credit freeze to have access to their freeze PIN and be ready to supply it. But Equifax never actually asks for the PIN.

This page informed me that if I previously secured a freeze of my credit file with Equifax and been given a PIN needed to undo that status in any way, that I should be ready to provide said information if I was requesting changes via phone or email. 

In other words, credit freezes and thaws requested via myEquifax don’t require users to supply any pre-existing PIN.

Fine, I said. Let’s do this.

myEquifax then asked for the date range requested to thaw my credit freeze. Submit.

“We’ve successfully processed your security freeze request!,” the site declared.

This also was exclaimed in an email to the random old address I’d used at myEquifax, although the site never once made any attempt to validate that I had access to this inbox, something that could be done by simply sending a confirmation link that needs to be clicked to activate the account.

In addition, I noticed Equifax added my old mobile number to my account, even though I never supplied this information and was not using this phone when I created the myEquifax account.

Successfully unfreezing (temporarily thawing) my credit freeze did not require me to ever supply my previously-issued freeze PIN from Equifax. Anyone who knew the vaguest and most knowable details about me could have done the same.

myEquifax.com does not currently seek to verify the account by requesting confirmation via a phone call or text to the phone number associated with the account (also, recall that even providing a phone number was optional).

Happily, I did discover then when I used a different computer and Internet address to try to open up another account under my name, date of birth and SSN, it informed me that a profile already existed for this information. This suggests that signing up at myEquifax is probably a good idea, given that the alternative is more risky.

It was way too easy to create my account, but I’m not saying everyone will be able to create one online. In testing with several readers over the past 24 hours, myEquifax seems to be returning a lot more error pages at the KBA stage of the process now, prompting people to try again later or make a request via email or phone.

Equifax spokesperson Nancy Bistritz-Balkan said not requiring a PIN for people with existing freezes was by design.

“With myEquifax, we created an online experience that enables consumers to securely and conveniently manage security freezes and fraud alerts,” Bistritz-Balkan said..

“We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud alerts online without the use of a PIN,” she continued. “The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time.” Continue reading →


27
Feb 19

Crypto Mining Service Coinhive to Call it Quits

Roughly one year ago, KrebsOnSecurity published a lengthy investigation into the individuals behind Coinhive[.]com, a cryptocurrency mining service that has been heavily abused to force hacked Web sites to mine virtual currency. On Tuesday, Coinhive announced plans to pull the plug on the project early next month.

A message posted to the Coinhive blog on Tuesday, Feb. 26, 2019.

In March 2018, Coinhive was listed by many security firms as the top malicious threat to Internet users, thanks to the tendency for Coinhive’s computer code to be surreptitiously deployed on hacked Web sites to steal the computer processing power of its visitors’ devices.

Coinhive took a whopping 30 percent of the cut of all Monero currency mined by its code, and this presented something of a conflict of interest when it came to stopping the rampant abuse of its platform. At the time, Coinhive was only responding to abuse reports when contacted by a hacked site’s owner. Moreover, when it would respond, it did so by invalidating the cryptographic key tied to the abuse.

Trouble was, killing the key did nothing to stop Coinhive’s code from continuing to mine Monero on a hacked site. Once a key was invalidated, Coinhive would simply cut out the middleman and proceed to keep 100 percent of the cryptocurrency mined by sites tied to that account from then on.

In response to that investigation, Coinhive made structural changes to its platform to ensure it was no longer profiting from this shady practice.

Troy Mursch is chief research officer at Bad Packets LLC, a company that has closely chronicled a number of high-profile Web sites that were hacked and seeded with Coinhive mining code over the years. Mursch said that after those changes by Coinhive, the mining service became far less attractive to cybercriminals.

“After that, it was not exactly enticing for miscreants to use their platform,” Mursch said. “Most of those guys just took their business elsewhere to other mining pools that don’t charge anywhere near such high fees.”

As Coinhive noted in the statement about its closure, a severe and widespread drop in the value of most major crytpocurrencies weighed heavily on its decision. At the time of my March 2018 piece on Coinhive, Monero was trading at an all-time high of USD $342 per coin, according to charts maintained by coinmarketcap.com. Today, a single Monero is worth less than $50. Continue reading →


18
Feb 19

A Deep Dive on the Recent Widespread DNS Hijacking Attacks

The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy.

This post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful cyber espionage campaign back to a cascading series of breaches at key Internet infrastructure providers.

Before we delve into the extensive research that culminated in this post, it’s helpful to review the facts disclosed publicly so far. On Nov. 27, 2018, Cisco’s Talos research division published a write-up outlining the contours of a sophisticated cyber espionage campaign it dubbed “DNSpionage.”

The DNS part of that moniker refers to the global “Domain Name System,” which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.

Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets, so that all email and virtual private networking (VPN) traffic was redirected to an Internet address controlled by the attackers.

Talos reported that these DNS hijacks also paved the way for the attackers to obtain SSL encryption certificates for the targeted domains (e.g. webmail.finance.gov.lb), which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text.

On January 9, 2019, security vendor FireEye released its report, “Global DNS Hijacking Campaign: DNS Record Manipulation at Scale,” which went into far greater technical detail about the “how” of the espionage campaign, but contained few additional details about its victims.

About the same time as the FireEye report, the U.S. Department of Homeland Security issued a rare emergency directive ordering all U.S. federal civilian agencies to secure the login credentials for their Internet domain records. As part of that mandate, DHS published a short list of domain names and Internet addresses that were used in the DNSpionage campaign, although those details did not go beyond what was previously released by either Cisco Talos or FireEye.

That changed on Jan. 25, 2019, when security firm CrowdStrike published a blog post listing virtually every Internet address known to be (ab)used by the espionage campaign to date. The remainder of this story is based on open-source research and interviews conducted by KrebsOnSecurity in an effort to shed more light on the true extent of this extraordinary — and ongoing — attack.

The “indicators of compromise” related to the DNSpionage campaign, as published by CrowdStrike.

PASSIVE DNS

I began my research by taking each of the Internet addresses laid out in the CrowdStrike report and running them through both Farsight Security and SecurityTrails, services that passively collect data about changes to DNS records tied to tens of millions of Web site domains around the world.

Working backwards from each Internet address, I was able to see that in the last few months of 2018 the hackers behind DNSpionage succeeded in compromising key components of DNS infrastructure for more than 50 Middle Eastern companies and government agencies, including targets in Albania, Cyprus, Egypt, Iraq, Jordan, Kuwait, Lebanon, Libya, Saudi Arabia and the United Arab Emirates.

For example, the passive DNS data shows the attackers were able to hijack the DNS records for mail.gov.ae, which handles email for government offices of the United Arab Emirates. Here are just a few other interesting assets successfully compromised in this cyber espionage campaign:

-nsa.gov.iq: the National Security Advisory of Iraq
-webmail.mofa.gov.ae: email for the United Arab Emirates’ Ministry of Foreign Affairs
-shish.gov.al: the State Intelligence Service of Albania
-mail.mfa.gov.eg: mail server for Egypt’s Ministry of Foreign Affairs
-mod.gov.eg: Egyptian Ministry of Defense
-embassy.ly: Embassy of Libya
-owa.e-albania.al: the Outlook Web Access portal for the e-government portal of Albania
-mail.dgca.gov.kw: email server for Kuwait’s Civil Aviation Bureau
-gid.gov.jo: Jordan’s General Intelligence Directorate
-adpvpn.adpolice.gov.ae: VPN service for the Abu Dhabi Police
-mail.asp.gov.al: email for Albanian State Police
-owa.gov.cy: Microsoft Outlook Web Access for Government of Cyprus
-webmail.finance.gov.lb: email for Lebanon Ministry of Finance
-mail.petroleum.gov.eg: Egyptian Ministry of Petroleum
-mail.cyta.com.cy: Cyta telecommunications and Internet provider, Cyprus
-mail.mea.com.lb: email access for Middle East Airlines

The passive DNS data provided by Farsight and SecurityTrails also offered clues about when each of these domains was hijacked. In most cases, the attackers appear to have changed the DNS records for these domains (we’ll get to the “how” in a moment) so that the domains pointed to servers in Europe that they controlled.

Shortly after the DNS records for these TLDs were hijacked — sometimes weeks, sometimes just days or hours — the attackers were able to obtain SSL certificates for those domains from SSL providers Comodo and/or Let’s Encrypt. The preparation for several of these attacks can be seen at crt.sh, which provides a searchable database of all new SSL certificate creations.

Let’s take a closer look at one example. The CrowdStrike report references the Internet address 139.59.134[.]216 (see above), which according to Farsight was home to just seven different domains over the years. Two of those domains only appeared at that Internet address in December 2018, including domains in Lebanon and — curiously — Sweden.

The first domain was “ns0.idm.net.lb,” which is a server for the Lebanese Internet service provider IDM. From early 2014 until December 2018, ns0.idm.net.lb pointed to 194.126.10[.]18, which appropriately enough is an Internet address based in Lebanon. But as we can see in the screenshot from Farsight’s data below, on Dec. 18, 2018, the DNS records for this ISP were changed to point Internet traffic destined for IDM to a hosting provider in Germany (the 139.59.134[.]216 address).

Source: Farsight Security

Notice what else is listed along with IDM’s domain at 139.59.134[.]216, according to Farsight:

The DNS records for the domains sa1.dnsnode.net and fork.sth.dnsnode.net also were changed from their rightful home in Sweden to the German hosting provider controlled by the attackers in December. These domains are owned by Netnod Internet Exchange, a major global DNS provider based in Sweden. Netnod also operates one of the 13 “root” name servers, a critical resource that forms the very foundation of the global DNS system.

We’ll come back to Netnod in a moment. But first let’s look at another Internet address referenced in the CrowdStrike report as part of the infrastructure abused by the DNSpionage hackers: 82.196.11[.]127. This address in The Netherlands also is home to the domain mmfasi[.]com, which Crowdstrike says was one of the attacker’s domains that was used as a DNS server for some of the hijacked infrastructure.

As we can see in the screenshot above, 82.196.11[.]127 was temporarily home to another pair of Netnod DNS servers, as well as the server “ns.anycast.woodynet.net.” That domain is derived from the nickname of Bill Woodcock, who serves as executive director of Packet Clearing House (PCH).

PCH is a nonprofit entity based in northern California that also manages significant amounts of the world’s DNS infrastructure, particularly the DNS for more than 500 top-level domains and a number of the Middle East top-level domains targeted by DNSpionage. Continue reading →


4
Feb 19

Crooks Continue to Exploit GoDaddy Hole

Godaddy.com, the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal.

On January 22, KrebsOnSecurity published research showing that crooks behind a series of massive sextortion and bomb threat spam campaigns throughout 2018 — an adversary that’s been dubbed “Spammy Bear” —  achieved an unusual amount of inbox delivery by exploiting a weakness at GoDaddy which allowed anyone to add a domain to their GoDaddy account without validating that they actually owned the domain.

Spammy Bear targeted dormant but otherwise legitimate domains that had one thing in common: They all at one time used GoDaddy’s hosted Domain Name System (DNS) service. Researcher Ron Guilmette discovered that Spammy Bear was able to hijack thousands of these dormant domains for spam simply by registering free accounts at GoDaddy and telling the company’s automated DNS service to allow the sending of email with those domains from an Internet address controlled by the spammers.

Very soon after that story ran, GoDaddy said it had put in place a fix for the problem, and had scrubbed more than 4,000 domain names used in the spam campaigns that were identified in my Jan. 22 story. But on or around February 1, a new spam campaign that leveraged similarly hijacked domains at GoDaddy began distributing Gand Crab, a potent strain of ransomware.

As noted in a post last week at the blog MyOnlineSecurity, the Gand Crab campaign used a variety of lures, including fake DHL shipping notices and phony AT&T e-fax alerts. The domains documented by MyOnlineSecurity all had their DNS records altered between Jan. 31 and Feb. 1 to allow the sending of email from Internet addresses tied to two ISPs identified in my original Jan. 22 report on the GoDaddy weakness.

“What makes these malware laden emails much more likely to be delivered is the fact that the sending domains all have a good reputation,” MyOnlineSecurity observed. “There are dozens, if not hundreds of domains involved in this particular campaign. Almost all the domains have been registered for many years, some for more than 10 years.”

A “passive DNS” lookup shows the DNS changes made by the spammers on Jan. 31 for one of the domains used in the Gand Crab spam campaign documented by MyOnlineSecurity. Image: Farsight Security.

In a statement provided to KrebsOnSecurity, GoDaddy said the company was confident the steps it took to address the problem were working as intended, and that GoDaddy had simply overlooked the domains abused in the recent GandCrab spam campaign.

“The domains used in the Gand Crab campaign were modified before then, but we missed them in our initial sweep,” GoDaddy spokesperson Dan Race said. “While we are otherwise confident of the mitigation steps we took to prevent the dangling DNS issue, we are working to identify any other domains that need to be fixed.”

“We do not believe it is possible for a person to hijack the DNS of one or more domains using the same tactics as used in the Spammy Bear and Gand Crab campaigns,” Race continued. “However, we are assessing if there are other methods that may be used to achieve the same results, and we continue our normal monitoring for account takeover. We have also set up a reporting alias at dns-spam-concerns@godaddy.com to make it easier to report any suspicious activity or any details that might help our efforts to stop this kind of abuse.”

That email address is likely to receive quite a few tips in the short run. Virus Bulletin editor Martijn Grooten this week published his analysis on a January 29 malware email campaign that came disguised as a shipping notice from UPS. Grooten said the spam intercepted from that campaign included links to an Internet address that was previously used to distribute GandCrab, and that virtually all of the domains seen sending the fake UPS notices used one of two pairs of DNS servers managed by GoDaddy.

“The majority of domains, which we think had probably had their DNS compromised, still point to the same IP address though,” Grooten wrote. That IP address is currently home to a Web site that sells stolen credit card data.

The fake UPS message used in a Jan. 29 Gand Crab malware spam campaign. Source: Virus Bulletin.

Grooten told KrebsOnSecurity he suspects criminals may have succeeded at actually compromising several of GoDaddy’s hosted DNS servers. For one thing, he said, the same pair (sometimes two pairs) of name servers keep appearing in the same campaign.

“In quite a few campaigns we saw domains used that were alphabetically close, [and] there are other domains used that had moved away from GoDaddy before these campaigns, yet were still used,” Grooten said. “It’s also interesting to note that hundreds — and perhaps thousands — of domains had their DNS changed within a short period of time. Such a thing is hard to do if you have to log into individual accounts.”

GoDaddy said there has been no such breach.

“Our DNS servers have not been compromised,” Race said. “The examples provided were dangled domains that had zone files created by the threat actor prior to when we implemented our mitigation on January 23. These domain names were parked until the threat actors activated them. They had the ability to do that because they owned the zone files already. We’re continuing to review customer accounts for other potential zone entries.”
Continue reading →


22
Jan 19

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned.

Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains tied to GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the world’s most trusted corporate names and brands.

In July 2018, email users around the world began complaining of receiving spam which began with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid. On December 13, 2018, a similarly large spam campaign was blasted out, threatening that someone had planted bombs within the recipient’s building that would be detonated unless a hefty bitcoin ransom was paid by the end of the business day.

Experts at Cisco Talos and other security firms quickly drew parallels between the two mass spam campaigns, pointing to a significant overlap in Russia-based Internet addresses used to send the junk emails. Yet one aspect of these seemingly related campaigns that has been largely overlooked is the degree to which each achieved an unusually high rate of delivery to recipients.

Large-scale spam campaigns often are conducted using newly-registered or hacked email addresses, and/or throwaway domains. The trouble is, spam sent from these assets is trivial to block because anti-spam and security systems tend to discard or mark as spam any messages that appear to come from addresses which have no known history or reputation attached to them.

However, in both the sextortion and bomb threat spam campaigns, the vast majority of the email was being sent through Web site names that had already existed for some time, and indeed even had a trusted reputation. Not only that, new research shows many of these domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies. 

That’s according to Ron Guilmette, a dogged anti-spam researcher. Researching the history and reputation of thousands of Web site names used in each of the extortionist spam campaigns, Guilmette made a startling discovery: Virtually all of them had at one time received service from GoDaddy.com, a Scottsdale, Ariz. based domain name registrar and hosting provider.

Guilmette told KrebsOnSecurity he initially considered the possibility that GoDaddy had been hacked, or that thousands of the registrar’s customers perhaps had their GoDaddy usernames and passwords stolen.

But as he began digging deeper, Guilmette came to the conclusion that the spammers were exploiting an obscure — albeit widespread — weakness among hosting companies, cloud providers and domain registrars that was first publicly detailed in 2016.

EARLY WARNING SIGNS

In August 2016, security researcher Matthew Bryant wrote about a weakness that could be used to hijack email service for 20,000 established domain names at a U.S. based hosting provider. A few months later, Bryant warned that the same technique could be leveraged to send spam from more than 120,000 trusted domains across multiple providers. And Guilmette says he now believes the attack method detailed by Bryant also explains what’s going on in the more recent sextortion and bomb threat spams.

Grasping the true breadth of Bryant’s prescient discovery requires a brief and simplified primer on how Web sites work. Your Web browser knows how to find a Web site name like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.

When someone wants to register a domain at a registrar like GoDaddy, the registrar will typically provide two sets of DNS records that the customer then needs to assign to his domain. Those records are crucial because they allow Web browsers to figure out the Internet address of the hosting provider that’s serving that Web site domain. Like many other registrars, GoDaddy lets new customers use their managed DNS services for free for a period of time (in GoDaddy’s case it’s 30 days), after which time customers must pay for the service.

The crux of Bryant’s discovery was that the spammers in those 2016 campaigns learned that countless hosting firms and registrars would allow anyone to add a domain to their account without ever validating that the person requesting the change actually owned the domain. Here’s what Bryant wrote about the threat back in 2016:

“In addition to the hijacked domains often having past history and a long age, they also have WHOIS information which points to real people unrelated to the person carrying out the attack. Now if an attacker launches a malware campaign using these domains, it will be harder to pinpoint who/what is carrying out the attack since the domains would all appear to be just regular domains with no observable pattern other than the fact that they all use cloud DNS. It’s an attacker’s dream, troublesome attribution and an endless number of names to use for malicious campaigns.”

SAY WHAT?

For a more concrete example of what’s going on here, we’ll look at just one of the 4,000+ domains that Guilmette found were used in the Dec. 13, 2018 bomb threat hoax. Virtualfirefox.com is a domain registered via GoDaddy in 2013 and currently owned by The Mozilla Corporation, a wholly owned subsidiary of the Mozilla Foundation — the makers of the popular Firefox Web browser.

The domain’s registration has been renewed each year since its inception, but the domain itself has sat dormant for some time. When it was initially set up, it took advantage of two managed DNS servers assigned to it by GoDaddy — ns17.domaincontrol.com, and ns18.domaincontrol.com.

GoDaddy is a massive hosting provider, and it has more than 100 such DNS servers to serve the needs of its clients. To hijack this domain, the attackers in the December 2018 spam campaign needed only to have created a free account at GoDaddy that was assigned the exact same DNS servers handed out to Virtualfirefox.com (ns17.domaincontrol.com and ns18.domaincontrol.com). After that, the attackers simply claim ownership over the domain, and tell GoDaddy to allow the sending of email with that domain from an Internet address they control.

Mozilla spokesperson Ellen Canale said Mozilla took ownership of virtualfirefox.com in September 2017 after a trademark dispute, but that the DNS nameserver for the record was not reset until January of 2019.

“This oversight created a state where the DNS pointed to a server controlled by a third party, leaving it vulnerable to misuse,” Canale said. “We’ve reviewed the configuration of both our registrar and nameservers and have found no indication of misuse. In addition to addressing the immediate problem, we have reviewed the entire catalog of properties we own to ensure they are properly configured.”

According to both Guilmette and Bryant, this type of hijack is possible because GoDaddy — like many other managed DNS providers — does little to check whether someone with an existing account (free or otherwise) who is claiming ownership over a given domain actually controls that domain name.

Contacted by KrebsOnSecurity, GoDaddy acknowledged the authentication weakness documented by Guilmette.

“After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process,” the company said in an emailed statement.

“We’ve identified a fix and are taking corrective action immediately,” the statement continued. “While those responsible were able to create DNS entries on dormant domains, at no time did account ownership change nor was customer information exposed.” Continue reading →


17
Jan 19

773M Password ‘Megabreach’ is Years Old

My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it “the largest collection ever of breached data found.” But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.

The dump, labeled “Collection #1” and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely “made up of many different individual data breaches from literally thousands of different sources.”

KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.

Here’s a screenshot of a subset of that seller’s current offerings, which total almost 1 Terabyte of stolen and hacked passwords:

The 87GB “Collection1” archive is one of but many similar tranches of stolen passwords being sold by a particularly prolific ne’er-do-well in the underground.

As we can see above, Collection #1 offered by this seller is indeed 87GB in size. He also advertises a Telegram username where he can be reached — “Sanixer.” So, naturally, KrebsOnSecurity contacted Sanixer via Telegram to find out more about the origins of Collection #1, which he is presently selling for the bargain price of just $45.

Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his “freshest” offering. Rather, he sort of steered me away from that archive, suggesting that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which he said are not all pictured in the above screen shot and total more than 4 terabytes in size, are less than a year old, Sanixer explained.

By way of explaining the provenance of Collection #1, Sanixer said it was a mix of “dumps and leaked bases,” and then he offered an interesting screen shot of his additional collections. Click on the image below and notice the open Web browser tab behind his purloined password trove (which is apparently stored at Mega.nz): Troy Hunt’s published research on this 773 million Collection #1.

Sanixer says Collection #1 was from a mix of sources. A description of those sources can be seen in the directory tree on the left side of this screenshot.

Holden said the habit of collecting large amounts of credentials and posting it online is not new at all, and that the data is far more useful for things like phishing, blackmail and other indirect attacks — as opposed to plundering inboxes. Holden added that his company had already derived 99 percent of the data in Collection #1 from other sources.

“It was popularized several years ago by Russian hackers on various Dark Web forums,” he said. “Because the data is gathered from a number of breaches, typically older data, it does not present a direct danger to the general user community. Its sheer volume is impressive, yet, by account of many hackers the data is not greatly useful.”

A core reason so many accounts get compromised is that far too many people have the nasty habit(s) of choosing poor passwords, re-using passwords and email addresses across multiple sites, and not taking advantage of multi-factor authentication options when they are available.

If this Collection #1 has you spooked, changing your password(s) certainly can’t hurt — unless of course you’re in the habit of re-using passwords. Please don’t do that. As we can see from the offering above, your password is probably worth way more to you than it is to cybercriminals (in the case of Collection #1, just .000002 cents per password). Continue reading →


10
Jan 19

Secret Service: Theft Rings Turn to Fuze Cards

Street thieves who specialize in cashing out stolen credit and debit cards increasingly are hedging their chances of getting caught carrying multiple counterfeit cards by relying on Fuze Cards, a smartcard technology that allows users to store dozens of cards on a single device, the U.S. Secret Service warns.

A Fuze card can store up to 30 credit/debit cards. Image: Fuzecard.com

Launched in May 2017, the Fuze Card is a data storage device that looks like a regular credit card but can hold account data for up to 30 credit cards. The Fuze Card displays no credit card number on either side, instead relying on a small display screen on the front that cardholders can use to change which stored card is to be used to complete a transaction.

After the user chooses the card data to be used, the card data is made available in the dynamic magnetic stripe on the back of the card or via the embedded smart chip. Fuze cards also can be used at ATMs to withdraw funds.

An internal memo the U.S. Secret Service shared with financial industry partners states that Secret Service field offices in New York and St. Louis are currently working criminal investigations where Fuze Cards have been used by fraud rings.

The memo, a copy of which was obtained by KrebsOnSecurity, states that card theft rings are using Fuze Cards to avoid raising suspicions that may arise when shuffling through multiple counterfeit cards at the register.

“The transaction may also appear as a declined transaction but the fraudster, with the push of a button, is changing the card numbers being used,” the memo notes.

Fraud rings often will purchase data on thousands of credit and debit cards stolen from hacked point-of-sale devices or obtained via physical card skimmers. The data can be encoded onto any card with a magnetic stripe, and then used to buy high-priced items at retail outlets — or to withdrawn funds from ATMs (if the fraudsters also have the cardholder’s PIN).

But getting caught holding dozens of counterfeit or stolen cards is tough to explain to authorities. Hence, the allure of the Fuze Card, which may appear to the casual observer to be just another credit card in one’s wallet. Continue reading →


#####EOF##### SIM swap — Search Results — Krebs on Security


#####EOF##### Ne’er-Do-Well News — Krebs on Security

Ne’er-Do-Well News


2
Apr 19

Canadian Police Raid ‘Orcus RAT’ Author

Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.

An advertisement for Orcus RAT.

As first detailed by KrebsOnSecurity in July 2016, Orcus is the brainchild of John “Armada” Rezvesz, a Toronto resident who until recently maintained and sold the RAT under the company name Orcus Technologies.

In an “official press release” posted to pastebin.com on Mar. 31, 2019, Rezvesz said his company recently was the subject of an international search warrant executed jointly by the Royal Canadian Mounted Police (RCMP) and the Canadian Radio-television and Telecommunications Commission (CRTC).

“In this process authorities seized numerous backup hard drives [containing] a large portion of Orcus Technologies business, and practices,” Rezvesz wrote. “Data inclusive on these drives include but are not limited to: User information inclusive of user names, real names, financial transactions, and further. The arrests and searches expand to an international investigation at this point, including countries as America, Germany, Australia, Canada and potentially more.”

Reached via email, Rezvesz declined to say whether he was arrested in connection with the search warrant, a copy of which he shared with KrebsOnSecurity. In response to an inquiry from this office, the RCMP stopped short of naming names, but said “we can confirm that our National Division Cybercrime Investigative Team did execute a search warrant at a Toronto location last week.”

The RCMP said the raid was part of an international coordinated effort with the Federal Bureau of Investigation and the Australian Federal Police, as part of “a series of ongoing, parallel investigations into Remote Access Trojan (RAT) technology. This type of malicious software (malware) enables remote access to Canadian computers, without their users’ consent and can lead to the subsequent installation of other malware and theft of personal information.”

“The CRTC executed a warrant under Canada’s Anti-Spam Legislation (CASL) and the RCMP National Division executed a search warrant under the Criminal Code respectively,” reads a statement published last week by the Canadian government. “Tips from international private cyber security firms triggered the investigation.”

Rezvesz maintains his software was designed for legitimate use only and for system administrators seeking more powerful, full-featured ways to remotely manage multiple PCs around the globe. He’s also said he’s not responsible for how licensed customers use his products, and that he actively kills software licenses for customers found to be using it for online fraud.

Yet the list of features and plugins advertised for this RAT includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

“It can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process,” wrote researchers at security firm Fortinet in a Dec. 2017 analysis of the RAT. “This makes it harder for targets to remove it from their systems. These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.”

As KrebsOnSecurity noted in 2016, in conjunction with his RAT Rezvesz also sold and marketed a bulletproof “dynamic DNS service” that promised not to keep any records of customer activity. Continue reading →


29
Mar 19

Man Behind Fatal ‘Swatting’ Gets 20 Years

Tyler Barriss, a 26-year-old California man who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident, has been sentenced to 20 years in federal prison.

Tyler Barriss, in an undated selfie.

Barriss has admitted to his role in the Kansas man’s death, as well as to dozens of other non-fatal “swatting” attacks. These dangerous hoaxes involve making false claims to emergency responders about phony hostage situations or bomb threats, with the intention of prompting a heavily-armed police response to the location of the claimed incident.

On Dec. 28, 2017, Barriss placed a call from California to police in Wichita, Kan., claiming that he was a local resident who’d just shot his father and was holding other family members hostage.

When Wichita officers responded to the address given by the caller — 1033 W. McCormick — they shot and killed 28-year-old Andrew Finch, a father of two who had done nothing wrong.

Barriss admitted setting that fatal swatting in motion after getting in the middle of a dispute between two Call of Duty online gamers, 18-year-old Casey Viner from Ohio and Shane Gaskill, 20, from Wichita. Viner and Gaskill are awaiting their own trials in connection with Finch’s death. Continue reading →


22
Mar 19

Alleged Child Porn Lord Faces US Extradition

In 2013, the FBI exploited a zero-day vulnerability in Firefox to seize control over a Dark Web network of child pornography sites. The alleged owner of that ring – 33-year-old Freedom Hosting operator Eric Eoin Marques – was arrested in Ireland later that year on a U.S. warrant and has been in custody ever since. This week, Ireland’s Supreme Court cleared the way for Marques to be extradited to the United States.

Eric Eoin Marques. Photo: Irishtimes.com

The FBI has called Marques the world’s largest facilitator of child porn. He is wanted on four charges linked to hidden child porn sites like “Lolita City” and “PedoEmpire,” which the government says were extremely violent, graphic and depicting the rape and torture of pre-pubescent children. Investigators allege that sites on Freedom Hosting had thousands of customers, and earned Marques more than $1.5 million.

For years Freedom Hosting had developed a reputation as a safe haven for hosting child porn. Marques allegedly operated Freedom Hosting as a turnkey solution for Web sites that hide their true location using Tor, an online anonymity tool.

The sites could only be accessed using the Tor Browser Bundle, which is built on the Firefox Web browser. On Aug. 4, 2013, U.S. federal agents exploited a previously unknown vulnerability in Firefox version 17 that allowed them to identify the true Internet addresses and computer names of people using Tor Browser to visit the child porn sites at Freedom Hosting.

Irish public media service RTE reported in 2013 that Marques briefly regained access to one of his hosting servers even after the FBI had seized control over it and changed the password, briefly locking the feds out of the system.

As Wired.com observed at the time, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”

Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. FBI investigators told the courts they feared he would try to destroy evidence and/or flee the country. FBI agents testified that Marques had made inquiries about how to get a visa and entry into Russia and set up residence and citizenship there. Continue reading →


4
Mar 19

Hackers Sell Access to Bait-and-Switch Empire

Cybercriminals are auctioning off access to customer information stolen from an online data broker behind a dizzying array of bait-and-switch Web sites that sell access to a vast range of data on U.S. consumers, including DMV and arrest records, genealogy reports, phone number lookups and people searches. In an ironic twist, the marketing empire that owns the hacked online properties appears to be run by a Canadian man who’s been sued for fraud by the U.S. Federal Trade Commission, Microsoft and Oprah Winfrey, to name a few.

Earlier this week, a cybercriminal on a Dark Web forum posted an auction notice for access to a Web-based administrative panel for an unidentified “US Search center” that he claimed holds some four million customer records, including names, email addresses, passwords and phone numbers. The starting bid price for that auction was $800.

Several screen shots shared by the seller suggested the customers in question had all purchased subscriptions to a variety of sites that aggregate and sell public records, such as dmv.us.org, carhistory.us.org, police.us.org, and criminalrecords.us.org.

A (redacted) screen shot shared by the apparent hacker who was selling access to usernames and passwords for customers of multiple data-search Web sites.

A few hours of online sleuthing showed that these sites and dozens of others with similar names all at one time shared several toll-free phone numbers for customer support. The results returned by searching on those numbers suggests a singular reason this network of data-search Web sites changed their support numbers so frequently: They quickly became associated with online reports of fraud by angry customers.

That’s because countless people who were enticed to pay for reports generated by these services later complained that although the sites advertised access for just $1, they were soon hit with a series of much larger charges on their credit cards.

Using historic Web site registration records obtained from Domaintools.com (a former advertiser on this site), KrebsOnSecurity discovered that all of the sites linked back to two related companies — Las Vegas, Nev.-based Penguin Marketing, and Terra Marketing Group out of Alberta, Canada.

Both of these entities are owned by Jesse Willms, a man The Atlantic magazine described in an unflattering January 2014 profile as “The Dark Lord of the Internet” [not to be confused with The Dark Overlord].

Jesse Willms’ Linkedin profile.

The Atlantic pointed to a sprawling lawsuit filed by the Federal Trade Commission, which alleged that between 2007 and 2011, Willms defrauded consumers of some $467 million by enticing them to sign up for “risk free” product trials and then billing their cards recurring fees for a litany of automatically enrolled services they hadn’t noticed in the fine print.

“In just a few months, Willms’ companies could charge a consumer hundreds of dollars like this, and making the flurry of debits stop was such a convoluted process for those ensnared by one of his schemes that some customers just canceled their credit cards and opened new ones,” wrote The Atlantic’s Taylor Clark.

Willms’ various previous ventures reportedly extended far beyond selling access to public records. In fact, it’s likely everyone reading this story has at one time encountered an ad for one of his dodgy, bait-and-switch business schemes, The Atlantic noted:

“If you’ve used the Internet at all in the past six years, your cursor has probably lingered over ads for Willms’s Web sites more times than you’d suspect. His pitches generally fit in nicely with what have become the classics of the dubious-ad genre: tropes like photos of comely newscasters alongside fake headlines such as “Shocking Diet Secrets Exposed!”; too-good-to-be-true stories of a “local mom” who “earns $629/day working from home”; clusters of text links for miracle teeth whiteners and “loopholes” entitling you to government grants; and most notorious of all, eye-grabbing animations of disappearing “belly fat” coupled with a tagline promising the same results if you follow “1 weird old trick.” (A clue: the “trick” involves typing in 16 digits and an expiration date.)”

In a separate lawsuit, Microsoft accused Willms’ businesses of trafficking in massive quantities of counterfeit copies of its software. Oprah Winfrey also sued a Willms-affiliated site (oprahsdietscecrets.com) for linking her to products and services she claimed she had never endorsed.

KrebsOnSecurity reached out to multiple customers whose name, email address and cleartext passwords were exposed in the screenshot shared by the Dark Web auctioneer who apparently hacked Willms’ Web sites. All three of those who responded shared roughly the same experience: They said they’d ordered reports for specific criminal background checks from the sites on the promise of a $1 risk-free fee, never found what they were looking for, and were subsequently hit by the same merchant for credit card charges ranging from $20 to $38. Continue reading →


28
Feb 19

Booter Boss Interviewed in 2014 Pleads Guilty

A 20-year-old Illinois man has pleaded guilty to running multiple DDoS-for-hire services that launched millions of attacks over several years. The plea deal comes almost exactly five years after KrebsOnSecurity interviewed both the admitted felon and his father and urged the latter to take a more active interest in his son’s online activities.

Sergiy P. Usatyuk of Orland Park, Ill. pleaded guilty this week to one count of conspiracy to cause damage to Internet-connected computers and for his role in owning, administering and supporting illegal “booter” or “stresser” services designed to knock Web sites offline, including exostress[.]in, quezstresser[.]com, betabooter[.]com, databooter[.]com, instabooter[.]com, polystress[.]com and zstress[.]net.

Some of Rasbora’s posts on hackforums[.]net prior to our phone call in 2014. Most of these have since been deleted.

A U.S. Justice Department press release on the guilty plea says Usatyuk — operating under the hacker aliases “Andrew Quez” and “Brian Martinez” — admitted developing, controlling and operating the aforementioned booter services from around August 2015 through November 2017. But Usatyuk’s involvement in the DDoS-for-hire space very much predates that period.

In February 2014, KrebsOnSecurity reached out to Usatyuk’s father Peter Usatyuk, an assistant professor at the University of Illinois at Chicago. I did so because a brief amount of sleuthing on Hackforums[.]net revealed that his then 15-year-old son Sergiy — who at the time went by the nicknames “Rasbora” and “Mr. Booter Master”  — was heavily involved in helping to launch crippling DDoS attacks.

I phoned Usatyuk the elder because Sergiy’s alter egos had been posting evidence on Hackforums and elsewhere that he’d just hit KrebsOnSecurity.com with a 200 Gbps DDoS attack, which was then considered a fairly impressive DDoS assault.

“I am writing you after our phone conversation just to confirm that you may call evening time/weekend to talk to my son Sergio regarding to your reasons,” Peter Usatyuk wrote in an email to this author on Feb. 13, 2014. “I also have [a] major concern what my 15 yo son [is] doing. If you think that is any kind of illegal work, please, let me know.” Continue reading →


27
Feb 19

Crypto Mining Service Coinhive to Call it Quits

Roughly one year ago, KrebsOnSecurity published a lengthy investigation into the individuals behind Coinhive[.]com, a cryptocurrency mining service that has been heavily abused to force hacked Web sites to mine virtual currency. On Tuesday, Coinhive announced plans to pull the plug on the project early next month.

A message posted to the Coinhive blog on Tuesday, Feb. 26, 2019.

In March 2018, Coinhive was listed by many security firms as the top malicious threat to Internet users, thanks to the tendency for Coinhive’s computer code to be surreptitiously deployed on hacked Web sites to steal the computer processing power of its visitors’ devices.

Coinhive took a whopping 30 percent of the cut of all Monero currency mined by its code, and this presented something of a conflict of interest when it came to stopping the rampant abuse of its platform. At the time, Coinhive was only responding to abuse reports when contacted by a hacked site’s owner. Moreover, when it would respond, it did so by invalidating the cryptographic key tied to the abuse.

Trouble was, killing the key did nothing to stop Coinhive’s code from continuing to mine Monero on a hacked site. Once a key was invalidated, Coinhive would simply cut out the middleman and proceed to keep 100 percent of the cryptocurrency mined by sites tied to that account from then on.

In response to that investigation, Coinhive made structural changes to its platform to ensure it was no longer profiting from this shady practice.

Troy Mursch is chief research officer at Bad Packets LLC, a company that has closely chronicled a number of high-profile Web sites that were hacked and seeded with Coinhive mining code over the years. Mursch said that after those changes by Coinhive, the mining service became far less attractive to cybercriminals.

“After that, it was not exactly enticing for miscreants to use their platform,” Mursch said. “Most of those guys just took their business elsewhere to other mining pools that don’t charge anywhere near such high fees.”

As Coinhive noted in the statement about its closure, a severe and widespread drop in the value of most major crytpocurrencies weighed heavily on its decision. At the time of my March 2018 piece on Coinhive, Monero was trading at an all-time high of USD $342 per coin, according to charts maintained by coinmarketcap.com. Today, a single Monero is worth less than $50. Continue reading →


26
Feb 19

Former Russian Cybersecurity Chief Sentenced to 22 Years in Prison

A Russian court has handed down lengthy prison terms for two men convicted on treason charges for allegedly sharing information about Russian cybercriminals with U.S. law enforcement officials. The men — a former Russian cyber intelligence official and an executive at Russian security firm Kaspersky Lab — were reportedly prosecuted for their part in an investigation into Pavel Vrublevsky, a convicted cybercriminal who ran one of the world’s biggest spam networks and was a major focus of my 2014 book, Spam Nation.

Sergei Mikhailov, formerly deputy chief of Russia’s top anti-cybercrime unit, was sentenced today to 22 years in prison. The court also levied a 14-year sentence against Ruslan Stoyanov, a senior employee at Kaspersky Lab. Both men maintained their innocence throughout the trial.

Following their dramatic arrests in 2016, many news media outlets reported that the men were suspected of having tipped off American intelligence officials about those responsible for Russian hacking activities tied to the 2016 U.S. presidential election.

That’s because two others arrested for treason at the same time — Mikhailov subordinates Georgi Fomchenkov and Dmitry Dokuchaev — were reported by Russian media to have helped the FBI investigate Russian servers linked to the 2016 hacking of the Democratic National Committee. The case against Fomchenkov and Dokuchaev has not yet gone to trial.

What exactly was revealed during the trial of Mikhailov and Stoyanov is not clear, as the details surrounding it were classified. But according to information first reported by KrebsOnSecurity in January 2017, the most likely explanation for their prosecution stemmed from a long-running grudge held by Pavel Vrublevsky, a Russian businessman who ran a payment firm called ChronoPay and for years paid most of the world’s top spammers and virus writers to pump malware and hundreds of billions of junk emails into U.S. inboxes. Continue reading →


14
Feb 19

Bomb Threat Hoaxer Exposed by Hacked Gaming Site

Federal authorities this week arrested a North Carolina man who allegedly ran with a group of online hooligans that attacked Web sites (including this one), took requests on Twitter to call in bomb threats to thousands of schools, and tried to frame various online gaming sites as the culprits. In an ironic twist, the accused — who had fairly well separated his real life identity from his online personas — appears to have been caught after a gaming Web site he frequented got hacked.

On Feb. 12, the U.S. Justice Department announced the arrest of Timothy Dalton Vaughn, a 20-year-old from Winston-Salem, N.C. Vaughn is alleged to have been a key member of the Apophis Squad, a gang of ne’er-do-wells who made bomb threats against thousands of schools and launched distributed denial-of-service (DDoS) attacks against Web sites — including KrebsOnSecurity on multiple occasions.

The feds say Vaughn used multiple aliases on Twitter and elsewhere to crow about his attacks, including “HDGZero,” “WantedByFeds,” and “Xavier Farbel.” Among the Apophis Squad’s targets was encrypted mail service Protonmail, which reached out to this author last year for clues about the identities of the Apophis Squad members after noticing we were both being targeted by them and receiving demands for money in exchange for calling off the attacks.

Protonmail later publicly thanked KrebsOnSecurity for helping to bring about the arrest of Apophis Squad leader George Duke-Cohan — a.k.a. “opt1cz,” “7R1D3n7,” and “Pl3xl3t,” — a 19-year-old from the United Kingdom who was convicted in December 2018 and sentenced to three years in prison. But the real-life identity of HDGZero remained a mystery to both of us, as there was little publicly available information at the time connecting that moniker to anyone.

The DDoS-for-hire service run by Apophis Squad listed their members.

That is, until early January 2019, when news broke that hackers had broken into the servers of computer game maker BlankMediaGames and made off with account details of some 7.6 million people who had signed up to play “Town of Salem,” the company’s browser-based role playing game. That stolen information has since been posted and resold in underground forums.

A review of the leaked BlankMediaGames user database shows that in late 2018, someone who selected the username “hdgzero” signed up to play Town of Salem, registering with the email address xavierfarbel@gmail.com. The data also shows this person registered at the site using a Sprint mobile device with an Internet address that traced back to the Carolinas. Continue reading →


6
Feb 19

More Alleged SIM Swappers Face Justice

Prosecutors in Northern California have charged two men with using unauthorized SIM swaps to steal and extort money from victims. One of the individuals charged allegedly used a hacker nickname belonging to a key figure in the underground who’s built a solid reputation hijacking mobile phone numbers for profit.

According to indictments unsealed this week, Tucson, Ariz. resident Ahmad Wagaafe Hared and Matthew Gene Ditman of Las Vegas were part of a group that specialized in tricking or bribing representatives at the major wireless providers into giving them control over phone numbers belonging to people they later targeted for extortion and theft.

Investigators allege that between October 2016 and May 2018, Hared and Ditman grew proficient at SIM swapping, a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims.

The Justice Department says Hared was better known to his co-conspirators as “winblo.” That nickname corresponds to an extremely active and at one time revered member of the forum ogusers[.]com, a marketplace for people who wish to sell highly prized social media account names — including short usernames at Twitter, Instagram and other sites that can fetch thousands of dollars apiece.

Winblo’s account on ogusers[.]com

Winblo was an associate and business partner of another top Oguser member, a serial SIM swapper known to Oguser members as “Xzavyer.” In August 2018, authorities in California arrested a hacker by the same name — whose real name is Xzavyer Clemente Narvaez — charging him with identity theft, grand theft, and computer intrusion.

Prosecutors allege Narvaez used the proceeds of his crimes (estimated at > $1 million in virtual currencies) to purchase luxury items, including a McLaren — a $200,000 high-performance sports car.

According to the indictments against Hared and Ditman, one of the men (the indictment doesn’t specify which) allegedly used his ill-gotten gains to purchase a BMW i8, an automobile that sells for about $150,000.

Investigators also say the two men stole approximately 40 bitcoins from their SIM swapping victims. That’s roughly $136,000 in today’s conversion, but it would have been substantially more in 2017 when the price of a single bitcoin reached nearly $20,000.

Interestingly, KrebsOnSecurity was contacted in 2018 by a California man who said he was SIM swapped by Winblo and several associates. That victim, who asked not to be identified for fear of reprisals, said his Verizon mobile number was SIM hijacked by Winblo and others who used that access to take over his Twitter and PayPal accounts and then demand payment for the return of the accounts.

A computer specialist by trade, the victim said he was targeted because he’d invested in a cryptocurrency startup, and that the hackers found his contact information from a list of investors they’d somehow obtained. As luck would have it, he didn’t have much of value to steal in his accounts.

The victim said he learned more about his tormentors and exactly how they’d taken over his mobile number after they invited him to an online chat to negotiate a price for the return of his accounts.

“They told me they had called a Verizon employee line [posing as a Verizon employee] and managed to get my Verizon account ID number,” said my victim source. “Once they had that, they called Verizon customer service and had them reset the password. They literally just called and pretended to be me, and were able to get my account tied to another SIM card.”

The victim said his attackers even called his mom because the mobile account was in her name. Soon after that, his phone went dead.

“The funny thing was, after I got my account back the next day, there was a voicemail from a Verizon customer service agent who said something like, ‘Hey [omitted], heard you were having trouble with your line, hope the new SIM card is working okay, give us a call if not, have a nice day.'” Continue reading →


1
Feb 19

250 Webstresser Users to Face Legal Action

More than 250 customers of a popular and powerful online attack-for-hire service that was dismantled by authorities in 2018 are expected to face legal action for the damage they caused, according to Europol, the European Union’s law enforcement agency.

In April 2018, investigators in the U.S., U.K. and the Netherlands took down attack-for-hire service WebStresser[.]org and arrested its alleged administrators. Prior to the takedown, the service had more than 151,000 registered users and was responsible for launching some four million attacks over three years. Now, those same authorities are targeting people who paid the service to conduct attacks.

Webstresser.org (formerly Webstresser.co), as it appeared in 2017.

In the United Kingdom, police have seized more than 60 personal electronic devices from a number of Webstresser users, and some 250 customers of the service will soon face legal action, Europol said in a statement released this week.

“Size does not matter – all levels of users are under the radar of law enforcement, be it a gamer booting out the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain,” Europol officials warned.

The focus on Webstresser’s customers is the latest phase of “Operation Power Off,” which targeted one of the most active services for launching point-and-click distributed denial-of-service (DDoS) attacks. WebStresser was one of many so-called “booter” or “stresser” services — virtual hired muscle that even completely unskilled users can rent to knock nearly any website or Internet user offline.

Operation Power Off is part of a broader law enforcement effort to disrupt the burgeoning booter service industry and to weaken demand for such services. In December, authorities in the United States filed criminal charges against three men accused of running booter services, and orchestrated a coordinated takedown of 15 different booter sites.

This seizure notice appeared on the homepage of more than a dozen popular “booter” or “stresser” DDoS-for-hire Web sites in December 2018.

Continue reading →


#####EOF##### Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years — Krebs on Security

21
Mar 19

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.

Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data,” Renfro said. “In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.

Both Github and Twitter were forced to admit similar stumbles in recent months, but in both of those cases the plain text user passwords were available to a relatively small number of people within those organizations, and for far shorter periods of time.

Renfro said the issue first came to light in January 2019 when security engineers reviewing some new code noticed passwords were being inadvertently logged in plain text.

“This prompted the team to set up a small task force to make sure we did a broad-based review of anywhere this might be happening,” Renfro said. “We have a bunch of controls in place to try to mitigate these problems, and we’re in the process of investigating long-term infrastructure changes to prevent this going forward. We’re now reviewing any logs we have to see if there has been abuse or other access to that data.”

Facebook’s password woes come amid a tough month for the social network. Last week, The New York Times reported that federal prosecutors are conducting a criminal investigation into data deals Facebook struck with some of the world’s largest tech companies.

Earlier in March, Facebook came under fire from security and privacy experts for using phone numbers provided for security reasons — like two-factor authentication — for other things (like marketing, advertising and making users searchable by their phone numbers across the social network’s different platforms).

Update, 11:43 a.m.: Facebook has posted a statement about this incident here.

Tags: , ,

205 comments

  1. Well, I think it is difficult to quit Facebook. We all depend on it for most of the things, especially when you are running some business or you are an influencer. So, I think quitting Facebook is not a good idea. If you want to be secure and want to protect your data then you should choose your password wisely.

    • The best case in this scenario is that you used a password that you didn’t reuse on any other website. You could have had the best or longest password ever in this case, but if it was stored in plain text it wouldn’t make a difference.

  2. I picture Facebook’s security officer sitting in a room alone and nobody bothers to confer. Maybe this person’s brings up these failures, but probably gets ignored. More then likely nobody really cares at Facebook, this goes way back to Zuckerberg’s college days when he started a social network and bragged about his access to users data. Clearly a plan of Facebook all along to collect lot’s of user data for making money from. We should not be surprised and shouldn’t expect Zuckerberg to change because he has a long history on not being concerned.

  3. I agree with many commentators above. Saying that a password change is not required is irresponsible even without a breach of this sort. Change your password on Facebook ASAP. Even if you are not on Facebook, but were at some point in the past, double check your passwords on any other site and change those too if you have suspicion that it may be created with a similar logic. While security conscious folks may create different passwords for different sites, or may regularly change passwords on websites, the rest of the public may have someone who doesn’t.

  4. Wow Facebook has been bad at security for a long time: I feel like every month we learn something bad about Facebook, but their stocks are not affected. It is like we are now immune or come to an acceptance that they will fail at protecting our privacy. other companies get one bad news and their stocks take a dive but not Facebook.

  5. o))) Well hello ANOTHER BREACH GREAT THAT SUCKS. What i suggest is maybe getting into some of your own practiced Encryption OR BUYING A YUBIKEY ( Not yelling at you)

    o))) I use YUBIKEY all the time and it doesn’t happen to me any breaches and my online is more of a battle with the hackers and bullies and password theifs and phone theifs and all those in-between fun. ITS A GREAT Psyche Work out. something physical if im walking or running or exploring new territory.

    o))) also if you want to make it more physical get into exploring NFC Tags.

    o))) The QR Code Way is a little tricky cause involves paper.

    Crypto: 07b654385c3cf16f73ff6441a785e182

  6. I thought Facebook hires some good engineers, hard to imagine that only after 2000 people searching do they start to fix this. It should honestly be pretty obvious.

  7. I know I had a problem 2 years ago that made me delete my account. First I deactivated it. Then I wanted to change my password, before I decided to delete it. What made me delete it was that I wanted to use a password I had used before. Facebook said that I had already used that one.
    Made me think alot about it, because I always thought passwords were for my eyes only.
    Don’t know if this has anything to do with what’s going on with the employees, I hope not.

    • A provider preventing you from using an old password doesn’t necessarily mean they’re storing your password in plaintext. Basically it works like this.

      You sign up and create a password. Your password would be sent to the server, hashed, and stored in a database under some field, let’s call it “CurrentPassword”.

      You change your password. The server hashes your new password and checks it against however many old passwords they store. If no matches are found and the password complies with whatever password rules they have, the value in “CurrentPassword” is moved to “OldPassword1” and the new password is hashed and stored in “CurrentPassword”.

  8. Not scrubbing PID and passwords from a logger is a real rookie mistake though. It is clearer than ever that the company just doesn’t have security on it’s mind when it starts any activity.

  9. Mass market topics produce the most useless comments.

  10. Cases of this kind happen. It is time to ask what was the specific purpose of this? Why did they keep users’ passwords as plain text?

  11. gerlinde friedrich

    ich weiss mein pin nicht mehr

  12. Unfortunately, there’s a lot more sites people use that store passwords in clear-text in the database. The proliferation of scripts, and non-security oriented programmers has increased this dramatically. As difficult as it is, a different password for each site is looking like the way to go.

  13. I think the passwords have leaked outside of FB.
    I got a successful login from unusual device notification today to my FB account. Had to reset my pwd and so on. I am pretty sure leak is not from elsewhere as use unique complex passwords in each website and sonthis break into my FB account could not have been possible from another site compromission. I also don’t believe too much in the coincidence.

  14. Captain Midnight

    No security culture exists at FB.

Leave a comment


#####EOF##### joker’s stash — Search Results — Krebs on Security


#####EOF##### Why Phone Numbers Stink As Identity Proof — Krebs on Security

17
Mar 19

Why Phone Numbers Stink As Identity Proof

Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.

“As a consumer, I’m forced to use my phone number as an identity document, because sometimes that’s the only way to do business with a site online,” Nixon said. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me. And there’s nothing anyone can do to stop it except to stop using phone numbers as identity documents.”

Beyond SIM-swapping attacks, there are a number of ways that phone numbers can get transferred to new owners, Nixon said. The biggest reason is lack of payment for past phone bills. But maybe someone goes through a nasty divorce or separation, and can no longer access their phone or phone accounts. The account is sent to collections and closed, and the phone number gets released back into the general pool for reassignment after a period of time.

Many major providers still let people reset their passwords with just a text message. Last week I went to regain access to a Yahoo account I hadn’t used in almost five years. Yahoo’s forgot password feature let me enter a phone number, and after entering a code sent to my phone I was able to read my email.

So, if that Yahoo account is tied to a mobile number that you can receive text messages at, then you can assume control over the account. And every other account associated with that Yahoo account. Even if that phone number no longer belongs to the person who originally established the email account.

This is exactly what happened recently to a reader who shared this account:

A while ago I bought a new phone number. I went on Yahoo! mail and typed in the phone number in the login. It asked me if I wanted to receive an SMS to gain access. I said yes, and it sent me a verification key or access code via SMS. I typed the code I received. I was surprised that I didn’t access my own email, but the email I accessed was actually the email of the previous owner of my new number.

Yahoo! didn’t even ask me to type the email address, or the first and last name. It simply sent me the SMS, I typed the code I received, and without asking me to type an email or first and last name, it gave me access to the email of my number’s PREVIOUS OWNER. Didn’t ask for credentials or email address. This seriously needs to be revised. At minimum Yahoo! should ask me to type the email address or the first and last name before sending me an SMS which contains an access code.

Brian Krebs (BK): You have your own experiences like this. Or sort of. You tell.

Allison Nixon (AN): Any threat intelligence company will have some kind of business function that requires purchasing burner phones fairly frequently, which involves getting new phone numbers. When you get new numbers, they are recycled from previous owners because there probably aren’t any new ones anymore. I get a lot of various text messages for password resets. One I kept getting was texts from this guy’s bank. Every time he got a deposit, I would get a text saying how much was deposited and some basic information about the account.

I approached the bank because I was concerned that maybe this random person would be endangered by the security research we were going to be doing with this new number. I asked them to take him off the number, but they said there wasn’t anything they could do about it.

One time I accidentally hijacked a random person’s account. I was trying to get my own account back at an online service provider, and I put a burner phone number into the site, went through the SMS password reset process, got the link and it said ‘Welcome Back’ to some username I didn’t know. Then I clicked okay and was suddenly reading the private messages of the account.

I realized I’d hijacked the account of the previous owner of the phone. It was unintentional, but also very clear that there was no technical reason I couldn’t hijack even more accounts associated with this number. This is a problem affecting a ton of service providers. This could have happened at many, many other web sites.

BK: We weren’t always so tied to our phone numbers, right? What happened?

AN: The whole concept of a phone number goes back over a hundred years. The operator would punch in a number you know was associated with your friend and you could call that person and talk to them. Back then, a phone wasn’t tied any one person’s identity, and possession of that phone number never proved that person’s identity.

But these days, phone numbers are tied to peoples’ identities, even though we’re recycling them and this recycling is a fundamental part of how the phone system works. Despite the fact that phone number recycling has always existed, we still have all these Internet companies who’ve decided they’re going to accept the phone number as an identity document and that’s terrible.

BK: How does the phone number compare to more traditional, physical identity documents?

AN: Take the traditional concept of identity documents — where you have to physically show up and present ID at some type of business or office, and then from there they would look up your account and you can conduct a transaction. Online, it’s totally different and you can’t physically show your ID and can’t show your face.

In the Internet ecosystem, there are different companies and services that sell things online who have settled on various factors that are considered a good enough proxy for an identity document. You supply a username, password, and sometimes you provide your email address or phone number. Often times when you set up your account you have some kind of agreed-upon way of proofing that over time. Based on that pre-established protocol, the user can log in and do transactions.

It’s not a good system and the way the whole thing works just enables fraud. When you’re bottlenecked into physically showing up in a place, there’s only so much fraud you can do. A lot of attacks against phone companies are not attacking the inherent value of a phone number, but its use as an identity document.

BK: You said phone number recycling is a fundamental part of how the phone system works. Talk more about that, how common that is.

AN: You could be divorced, or thrown into sudden poverty after losing a job. But that number can be given away, and if it goes to someone else you don’t get it back. There all kinds of life situations where a phone number is not a good identifier.

Maybe part of the reason the whole phone number recycling issue doesn’t get much attention is people who can’t pay their bills probably don’t have a lot of money to steal anyways, but it’s pretty terrible that this situation can be abused to kick people when they’re down. I don’t think a lot of money can be stolen in this way, but I do think the fact that this happens really can undermine the entire system.

BK: It seems to me that it would be a good thing if more online merchants made it easier to log in to their sites without using passwords, but instead with an app that just asks hey was that you just now trying to log in? Yes? Okay. Boom, you’re logged in. Seems like this kind of “push” login can leverage the user’s smart phone while not relying on the number — or passwords, for that matter.

If phone numbers are bad, what should we look to as more reliable and resilient identifiers?

AN: That’s something I’ve been thinking a lot about lately. It seems like all of the other options are either bad or really controversial. On the one hand, I want my bank to know who I am, and I want to expose my email and phone number to them so they can verify it’s me and know how to get in touch with me if needed. But if I’m setting up an email account, I don’t want to have to give them all of my information. I’m not attached to any one alternative idea, I just don’t like what we’re doing now.

For more on what you can do to reduce your dependence on mobile phone numbers, check out the “What Can You Do?” section of Hanging Up on Mobile in the Name of Security.

Update, March 18, 1:25 p.m. ET: On March 14, Google published instructions describing how to disable SMS or voice in 2-step verification on G Suite accounts.

Tags: , ,

82 comments

  1. As mentioned above; Scandinavia (or at least Sweden) have a system that is harder to crack. On the other hand, we have a much smaller economy with far fewer banks to trust…

    To open a bank account (and e-banking) you have to show up in person and verify identity with physical ID-card. Most banks use some type of 2FA for login, either one-time use codes from scratch cards, code generating hardware, card readers that read chip based ID-cards or similar.

    Once on the inside, the bank can issue a Bank-ID for use on your device together with a code. https://www.bankid.com/en/

    If you change device you need to re-issue a Bank-ID via your bank. And, they have a limited lifetime before they are rendered invalid.

    The system is in wide spread use by business, finance and government. You can even do your tax returns with Bank-ID as ID-verification.

    The system is not totally secure of course, in fact there are quite a lot of social engineering attacks going on, but it seems a better system than the totally unsecure way of using phone numbers as validation of identity.

  2. I think its best to get a pager cause it can be
    Paid for a long time and will never disconnect

  3. Telephony technology has changed significantly over the last 30 years. However legacy assumptions have not fully caught-up. The North American PSTN (public switched telephone network) was traditionally a centrally controlled, limited access network. Being a hardwired network, the phone number was tightly controlled and was the actual address of a physical location which could could be step-wise “walked” to the destination. Now, the network is (for the most part) a digital packet switched network, with phone numbers being a virtually routed address at best, and phone number ownership a matrix of relationships. In this current environment phone numbers should be carefully used and verified, and treated more like IP addresses. I blame some of the issues discussed in your article on the telephone companies that provision these phone numbers. They are the owners of these “addresses” and the only entities that know the end-point being addressed. They should take some responsibility for how accurate phone numbers are. Without some rudimentary real-time method to verify a phone number is active and has not recently changed “hands”, those that rely on the phone number have no way to trust it. Laws like the Telephone Consumer Protection Act (TCPA) attempt to help the consumer but put much of the burden on the caller. The owners of the numbers should be required to provide tools to allow those who rely on the phone number to abide by the law.

  4. Only idiots use ‘free’ email services like gmail, yahoo, etc. One needs to pay a fee (or operate one’s own email server) and ideally register your own email domain – to make it portable to other platforms. (And the domain registration needs to be well locked down).

    • So, Rick, if one starts paying to Google fee (for e.g. G-Suite), would that resolve your concern? If so, could you elaborate, please?

    • Not So Slick Rick

      Just to clarify, are you suggesting the normal average Joe user does this? If so, I have some follow questions:

      1.) Who do you think you are?
      2.) What gives you the right?

      I hate so much of what you choose to be, Rick.

  5. Yet another Dongle

    I note that the old ‘ask some questions’ routine has popped up. In its defence, I keep a register of unusual answers. For example a person that has been through an unpleasant marriage breakup might list where they had their honeymoon as ‘Hades’, or their first car might be a roller skate.

    Of course, most people answer honestly which means their answers are probably obtainable on line. What’s my Mother’s Maiden name? The correct answer is easily found. My Answer, ahem, not so much. My first pet? probably discoverable, but not the answer I record.

    Nevertheless, that requires a register (that is encrypted) because I can’t remember all the wild responses. Not many are prepared to do that. It’s not a satisfactory situation.

    • “One of the problems of successful lying is that it’s hard work.”

    • Chuck van der Linden

      The trick is to use the ‘real’ answer as a mental trigger to your answer..

      For example if the model of your first car was a Mustang, your answer might be “For Pony!”

      Not perfect, as it does run a risk if security answers are breached on a site.

      To be safer you’d need different answers at every site, and that does require some kind of register such as an encrypted doc in a password store.. Still a risk but at least you’ve reduced it to how you maintain that document.

      (note: potentially a good idea to have one or two trusted family members know about that doc, in the event you are incapacitated or killed and someone else needs to gain access to those accounts. )

  6. This is why I have 1-time codes printed out on paper stashed away in a safe place. If I ever lose my phone, I can get back into the account without access to SMS or an authenticator app.

  7. My adult son “lost” his phone number and phone because his separated wife “bricked his iPhone by reporting it “stolen” or lost. She had control of the family’s Verizon account and my son could not gain access without a court order. The marital judge heard the complaint but would not deal with the issue.
    My son lost both his phone number and his phone and access to his 2Fa texts, etc. It was terrible and avoidable if any good will was involved.

  8. Not only a matter of privacy, but also of being practical. Paypal only accepts numbers from the country your account is from. I had a lot of headache when I moved from Spain to Italy…

    I cancelled my Spanish number and, surprise, wasn’t able to access my Spanish paypal account anymore. And good luck trying to reach customer service, they were not able to help me. I almost lost a few hundred euros. Now, I’m spending some time in another country, but had to keep my Italian number just so Paypal won’t screw me again.

  9. It also doesn’t help when many major online social/media sites ASSUME a 1-to-1 of phone numbers and individuals when registering (or “verifying”) your account. So if you want to use a shared phone for two (or more) legitimate separate accounts in a short period, you’re out of luck. Just 20 years ago, it probably wasn’t uncommon for single [land line] phone to be used by 2-4 people, and some still do.

    What’s worse is when online account verification allow you to use voice instead of SMS, which I expect is for non-mobile users (i.e. land lines or other common household phone, like VoIP service). So they simultaneously support such phones while assuming they are 1-to-1, despite knowing such phones are typically multi-user.

  10. I’ve got a new phone number, downloaded Whatsapp and got all private communications from a previous user in it!
    I deleted whatsapp from my phone and never wish to use it.

  11. The use of phone numbers as persistent identifiers is a huge privacy problem that my colleagues and I are studying. We’re currently conducting a survey to collect negative experiences related to phone numbers. If anyone has similar stories to the ones in the post, we’d love to hear them!

    https://umich.qualtrics.com/jfe/form/SV_bHMnNQK0ranAnHL

  12. I wonder why nobody has mentioned the W3C WebauthN yet. With it finalized, there is an alternate way of authenticating people without passwords or phonenumbers.

    Provided a site implements the necessary WebAuthN Steps, you can register a Mobile or Hardware Token with which you are able to (even pseudonymly) authenticate at a site.

    Registering more than one token then allows authentication backups that are much much more secure than Security Questions or SMS Communication.

    And Joe Doe Users will probably grasp the concept quite fast, because the metaphor of a simple doorlock key is working quite well on this.

  13. Oh, now I see it actually has been mentioned several times. Direct and indirectly (FIDO, Fingerprint,…).

    Yes it is a technical solution (like using mobile for 2FA is) and does cost the User a bit.

    But the costs also mean that creating fake accounts does have an upper limit.

  14. Similar things happen with email addresses. There are many airlines, banks, credit card companies, insurance companies, financial companies and many other companies that do not verify email addresses. And email addresses can be reused in many places.

    I have a simple email address: first initial, last name at gmail. I get at least 3 or 4 emails PER DAY for someone else because these companies haven’t confirmed the email address and someone, somewhere typed it incorrectly (or didn’t know that their own email address is first initial, last name plus some number). I’ve had email from American Express, Intuit (about someone else’s tax return being accepted), Walmart, airlines, car rental places, wifi hotspots at many airports, doctors to their patients, a half dozen banks etc. who are meant to be going somewhere else. Stores in the US, UK, and many other countries around the world.

    Most have:
    1. No way to report this.
    2. No way to unsubscribe.

    I treat them as spam or phishing when there is no easy way to report them and then let their phishing and spam people deal with them.

    For the doctors that might have HIPAA violations, I try to cc the office on the spam reports.

    The people involved in these entities’ security departments are way behind the curve.

Leave a comment


#####EOF##### Was the Ashley Madison Database Leaked? — Krebs on Security

18
Aug 15

Was the Ashley Madison Database Leaked?

Many news sites and blogs are reporting that the data stolen last month from 37 million users of AshleyMadison.com — a site that facilitates cheating and extramarital affairs — has finally been posted online for the world to see. In the past 48 hours, several huge dumps of data claiming to be the actual AshleyMadison database have turned up online. But there are precious few details in them that would allow one to verify these claims, and the company itself says it so far sees no indication that the files are legitimate.

Update, 11:52 p.m. ET: I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it’s been almost exactly 30 days since the original hack. Finally, all of the accounts created at Bugmenot.com for Ashleymadison.com prior to the original breach appear to be in the leaked data set as well. I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.

Original story:

A huge trove of data nearly 10 gigabytes in size was dumped onto the Deep Web and onto various Torrent file-sharing services over the past 48 hours.  According to a story at Wired.com, included in the files are names, addresses and phone numbers apparently attached to AshleyMadison member profiles, along with credit card data and transaction information. Links to the files were preceded by a text file message titled “Time’s Up” (see screenshot below).

The message left by the hackers claiming to leak the AshleyMadison.com database.

The message left by the latest group claiming to have leaked the hacked AshleyMadison.com database.

 

From taking in much of the media coverage of this leak so far — for example, from the aforementioned Wired piece or from the story at security blogger Graham Cluley’s site — readers would most likely conclude that this latest collection of leaked data is legitimate. But after an interview this evening with Raja Bhatia — AshleyMadison’s original founding chief technology officer — I came away with a different perspective.

Bhatia said he is working with an international team of roughly a dozen investigators who are toiling seven days a week, 24-hours a day just to keep up with all of the fake data dumps claiming to be the stolen AshleyMadison database that was referenced by the original hackers on July 19. Bhatia said his team sees no signs that this latest dump is legitimate.

“On a daily basis, we’re seeing 30 to 80 different claimed dumps come online, and most of these dumps are entirely fake and being used by other organizations to capture the attention that’s been built up through this release,” Bhatia said. “In total we’ve looked at over 100GB of data that’s been put out there. For example, I just now got a text message from our analysis team in Israel saying that the last dump they saw was 15 gigabytes. We’re still going through that, but for the most part it looks illegitimate and many of the files aren’t even readable.”

The former AshleyMadison CTO, who’s been consulting for the company ever since news of the hack broke last month, said many of the fake data dumps the company has examined to date include some or all of the files from the original July 19 release. But the rest of the information, he said, is always a mix of data taken from other hacked sources — not AshleyMadison.com.

“The overwhelming amount of data released in the last three weeks is fake data,” he said. “But we’re taking every release seriously and looking at each piece of data and trying to analyze the source and the veracity of the data.”

Bhatia said the format of the fake leaks has been changing constantly over the last few weeks.

“Originally, it was being posted through Imgur.com and Pastebin.com, and now we’re seeing files going out over torrents, the Dark Web, and TOR-based URLs,” he said.

To help locate new troves of data claiming to be the files stolen from AshleyMadison, the company’s forensics team has been using a tool that Netflix released last year called Scumblr, which scours high-profile sites for specific terms and data.

“For the most part, we can quickly verify that it’s not our data or it’s fake data, but we are taking each release seriously,” Bhatia said. “Scumbler helps accelerate the time it takes for us to detect new pieces of data that are being released.  For the most part, we’re finding the majority of it is fake. There are some things that have data from the original release, but other than that, what we’re seeing is other generic files that have been introduced, fake SQL files.”

Bhatia said this most recent leak is especially amusing because it included actual credit card data, even though AshleyMadison.com has never stored credit card information.

“There’s definitely not credit card information, because we don’t store that,” Bhatia said. “We use transaction IDs, just like every other PCI compliant merchant processor. If there is full credit card data in a dump, it’s not from us, because we don’t even have that. When someone completes a payment, what happens is from our payment processor, we get a transaction ID back. That’s the only piece of information linking to a customer or consumer of ours. If someone is releasing credit card data, that’s not from us. We don’t have that in our databases or our own systems.”

A screen shot of the archive released recently that many believe is the leaked AshleyMadison database.

A screen shot of the archive released recently that many believe is the leaked AshleyMadison database.

I should be clear that I have no idea whether this dump is in fact real; I’m only reporting what I have been able to observe so far. I have certainly seen many people I know on Twitter saying they’ve downloaded the files and found data from friends who’d acknowledged being members of the site.

Nearly every day since I first reported the exclusive story of the Ashley Madison hack on July 19,  I’ve received desperate and sad emails from readers who were or are AshleyMadison users and who wanted to know if the data would ever be leaked, or if I could somehow locate their information in any documents leaked so far. Unfortunately, aside from what I’ve reported here and in my original story last month, I don’t have any special knowledge or insight into this attack.

My first report on this breach quoted AshleyMadison CEO Noel Biderman saying the company suspected the culprit was likely someone who at one time had legitimate access to the company’s internal networks. I’d already come to the same conclusion by that time, and I still believe that’s the case. So I asked Bhatia if the company and/or law enforcement in Canada or the United States had apprehended anyone in relation to this hack.

Bhatia declined to answer, instead referring me to the written statement posted on its site today, which noted that investigation is still ongoing and that the company is simultaneously cooperating fully with law enforcement investigations, including by the Royal Canadian Mounted Police, the Ontario Provincial Police, the Toronto Police Services and the U.S. Federal Bureau of Investigation.

“This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities,” the statement reads. “We know that there are people out there who know one or more of these individuals, and we invite them to come forward. While we are confident that the authorities will identify and prosecute each of them to the fullest extent of the law, we also know there are individuals out there who can help to make this happen faster.”

Readers should understand that if this dump does turn out to be legit, that just finding someone’s name, email address and other data in the archives doesn’t mean that person was a real user. As the above-mentioned Graham Cluley points out, AshleyMadison never bothered to verify the email addresses given to it by its users.

“So, I could have created an account at Ashley Madison with the address of barack.obama@whitehouse.gov, but it wouldn’t have meant that Obama was a user of the site,” Cluley wrote. “Journalists and commentators would be wise to remember that the credentials stored by Ashley Madison must be considered suspect because of their shonky practices, even before you start considering whether any leaked databases are falsified or not.”

Tags: , , , , , ,

376 comments

  1. Mike- “you are” is abbreviated as you’re.

  2. There is an important point that all media should clarify regarding these data:

    Only the dump containing the transactions is worthy – in my opinion it is the only proof “that someone intended to cheat on their partner” as they paid for the service.

    All the other dumps are meh. The one used by trustify & co is based on the emails data dump which is pretty useless:

    1) Anybody could register with any random email address – they were not checked by AM.

    2) Someone might have registered on AM just by curiosity without using the service at all….which is the same as looking at porn online…we all do it sometimes.

    All these articles, services (Trustify & co) are not objective at all and will destroy lives/marriages for nothing.

    • Any marriage that gets destroyed by any of this already had unresolved issues (Ashley Madison is a symptom…NOT a cause).

      • My marriage is OK. I owned up at the time. It was a stupid mistake made in anger. However I don’t want it all round my kids school, my workplace. Obviously some people never make mistakes and can therefore sit in judgment.

        • No judgment at all…..we ALL fall short (I am no exception)

          “mistake” is a label that you’re using. I agree. My only point is that this needs to be seen for what it is, learn from it, and move on. “I don’t want it all round my kids school”….that’s just the reality of the internet at this point. It’s part of what I was saying at first.

      • Maybe for SOME marriage you are right.

        I think all this fiasco is going towards dangerous misunderstanding that will ruin life, careers and marriage for nothing. Because – as usual – mass media are generalizing, not looking deeply into the matter and moreover not really understanding what these data are.

        Am I more unfaithful by looking at videos on YouPorn or by looking at people profiles on AM or any other websites?

        Does the fact that person X subscribed on AM to look at some users makes him more unfaithful than person Y that keep staring at people in the local pub?

        Where is the threshold to determine whether someone is being unfaithful or not? The sexual act? The meeting? The pre-meeting on a website? Just the fact to think about someone else?

        These data are telling nothing, they prove nothing.

        Don’t get me wrong, it is extremely dumb from people to trust such website, to invest cash in it and to put real information about themselves. But it’s unfair that their information is out there – we all have dirty secrets / desires. And so what?

        That’s just a massive TV reality show. A lot of noise for extremely pointless and mundane stuff.

      • Nonsense. If the marriage is a problem it is because the weaker link (the person starting the Ashley Madison account) has entitlement issues that they should be allowed to screw around behind their partner’s back.

        The best available evidence (from Shirley Glass) is that many marriages are not deemed problematic until AFTER an affair starts.

        If your marriage is untenable, GET OUT. Divorce is legal. Screwing around doesn’t solve marital or personal problems, it causes them and puts adults & children at risk of STDs, financial deception, and horribly psychological symptoms (including PTSD for those who have been betrayed).

        Can’t have an honest relationship? Don’t get married.

    • “”Anybody could register with any random email address – they were not checked by AM.””

      Unfortunately that is wrong.

      There is a “isvalid” flag within the member email table. If it is set you can presume the email was checked!

      • Not necessarily. They could have sent an email, and if it didn’t bounce back was flagged as valid. It may have gone into a spam filter, never seen by the recipient.

      • Yes agree, there is this flag but then it comes to point 2) – someone might have validated its account with more a voyeur intention rather than a cheating one. Really pretty much the same as looking porn online.
        And condemning people for doing so is just non sense – we all do it.

        I’m saying that because I’m surprised at the difference between the email dump and the transaction one – that also contains email address.

        For instance, everybody speak about these @us.army.mil email. When I check on the email dump, I get 6’910 results…However on the transaction dump there are only 230 results.

        So sure – some may have used Paypal (which does not disclose the transaction), some another address. But it is still a HUGE gap.

  3. I am seriously panicking. I need site to check my name. Not my burner email. Any suggestions?

  4. Can you please explain how the gps data is is viewed in the text? Also, Are there specific devices that can be traced using the data dump?

  5. let me guess, the Impact Team motto is “keep the internet free but you must live by our morals”. This is more than just a hack, this is the first dangerous step that exposes us all. These guys went after the site but created victims. If people choose to cheat that’s their business, not for some sweaty hacker to determine what they should and shouldn’t be doing. What’s next? Medical records released because people have plastic surgery? Do the Impact Team think that’s immoral because it’s vain? These guys crossed the line and used personal information for their own misguided means. That makes them as bad or worse than any government spy agency.

    • Hackers are not the ones putting anyone at risk of exposure (or any other risk). The risk is being part of the site.

  6. http://naughty.invent-stuff.com/

    Search by name with the above link. However, it appears to mostly be Canadian names/addresses. Very few U.S. for some strange reason.

    • @sSokoloshus. There was a message on the site the morning. That site had an issue with address data returning null. The majority of linked addresses that displayed were in Canada for some reason. They have shut the site now.

  7. It is just a matter of time before there is a “search by zip code” site that is up where someone can see the results of all people in your zip code who signed up, with all of the details. This will be devastatingly embarrassing for my kids for one month of curiosity on my part.

    • Here too… Life is over for me. I never met anyone on the site. Just was pissed at the spouse and decided to “show her”…now it’s over for me. Not good

  8. @sokolishus…that type of search result is exactly what I fear. While that particular site does appear to be only Canadian, it is only a matter of time before there is one for the states,

    • Correct. There were some US addresses in that site (which just got taken down a few minutes ago) but was predominately Canadian.

  9. Don’t open any emails that you do not know, especially if it has a subject line which may indicate it could have AM data within.

    When you open up an email and there is a photo or other symbol that can be sent back to them in the form of an web server log, it gets worse. Now they could have your IP address you are using, and can get a general location of where you’re at.

    So make sure your email system does not use PREVIEW pane, which is not good to use for unknown emails. Turn off any sort of email receipts. For spam set up a rule to immediately send the spam to the DELETED folder. Ensure when you close your email the email trash is emptied.

    NEVER respond to these emails. If you do, you’re going to find yourself on a ton of email lists from the SPAM kings themselves.

    If your being targeted, the first thing these people do is look up any social media information on you, and then see if there is a significant other in your circle. They can use a few sites on the internet to look up your name and get some general info about relatives and on rare cases, even include a phone number.

    Having false hopes about any class action suits may be a bad idea. If your name comes up associating yourself with the site, its almost like an admission of guilt. Since the site did not have any email verification system, its nearly impossible to say who signed up legitimately or who was signed up as an act of revenge.

    I read on one website where it was recommended that all woman on the Am site should file a Class Action suit. I don’t know about you, but the chances of any payout are slim to none. By doing that you acknowledge you have been to the site and were/are actively looking. With all that social media craze out there, the women would be hounded by the crazies by the hundreds, before even one legit fish might swim by.
    It also adds a perception of untrustworthiness if your willing to come forth an say you were a victim of this site. You can say whatever you wish – it was an experiment, your were just curious, ect; but the bottom line to most is that you were on a cheating and unethical website as a active member….Its best to let the drama and stink settle down. before you know it, some other breach will come along and this one will be buried once and for all. Lets hope that is REAL soon.

  10. @ IA Eng. great advice thanks. I have been trawling my legit email accounts for e-reciepts from the period in which I was on AM. I pulled out a couple of different combinations for my last four digits, from them, and tried them on sintonens site. All OK. It’s not conclusive. I can’t even remember which card I used but it’s a start.

  11. If anyone finds a search site that returns more info that just email address, please post here so we can get ahed of it as soon as possible.

  12. “… roughly a dozen investigators who are toiling seven days a week, 24-hours a day just to…” …continue adding to the fake data dumps maybe??? If you can’t dazzle them with brilliance…baffle them with bull…

  13. I love the way these hackers posted invade others people’s privacy whilst remaining annoymous themselves.

    • “I love the way these hackers posted invade others people’s privacy whilst remaining annoymous themselves.”

      Probably because, unlike the hordes of angry cheaters, Impact Team can be imprisoned for their indiscretions. Maybe the cheaters can take a lesson from Impact Team and ensure they are anonymous themselves next time they decide to arrange affairs online!

  14. Hi..@ IA Eng great advice…any tips for those who get blackmail messages

  15. #1: most of the data DOES open
    #2: CC numbers aren’t in there, aside from the transactions and accompanying personal data, i.e., address, name, etc.
    #3: Does it being theoretically “false” alleviate me from legal repercussions if I were to share it for “security ressearch?” 😉

    • ignore the last question. The first 2 points remain firmly.

      • I should also clarify, when I had said the CC numbers aren’t in there, I had meant in-full. I had figured that’d be clear, but that might be misunderstood, on second thought.

        • I’m curious to know if I used a laptop browser and never verified the email (I used all fake info), how accurate are the gps coordinates? I’ve seen reports that the truly accurate coordinates are from the AM app on phones..and in something like mine they’re either my IP address (accurate only to the city/area) or to the zip code I gave.
          I wish someone would tell me how accurate the coordinates are for mine..anyone? I signed up to check on a co-workers S/O that was allegedly on there and now I’m worried that will bite me in the rear end.

          • @fuzz and people who are worrıed. I saw the datanase. Fırst of all ıt’s very confusıng and you have to know somewhat what you’re doıng to mavigate. I thınk ıf you were just a user wıth fake profıle ınfo /email but not a member AND dıdnt use and credıt card, ıt wıll be very dıffıcult for the novıce to fınd you. The real damnıng stuff ıs for members who have accounts and used credıt cards. Even here, a person has to know pretty much what month year and date the suspected AM member was on the sıte. Rıght now ıt’s just about pluggıng emaıl at thıs poınt. I thınk the problem could be ıf people start making a datanase of names wıth addresses but even then ıt’s real easy to put random people on the lıst. And someone mentıoned fake dumps: it is easy to falsify this database. It’s just like an xls file. You could delete and add if you wanted. A scammer could do that for blackmail. To all who are worried, just sit back and lay low, there is nothing you can do now, you made a mistake out of poor judgement. It’s as simple as that. You didn’t kill anyone. Your life is not over. Even if you get a divorce or your kids find out, you will have a life just learn and build. Surround yourself with people who care. And not too sound preachy but God forgives and there is no one righteous not one. Just live your life and decide what you will do in terms of preparing if it does come to light. Don’t dwell though. Don’t give it more thought than it deserves and thank God we don’t live in a country where you won’t be shot/hung/stoned for being on the site. Those people’s lives are over. It’s sad. You Americans (or those in free thinking societies/gov) though can get through this. You’re tough. If not, start getting mentally tough by reading about people who suffered setbacks, listen to sermons on youtube about forgiving yourself or overcoming failure- I’ll be praying for all of you. Hang in there. Geez sorry didn’t mean to go off on a tangent there!

  16. I Don’t see these guys as heroes what so ever. If they were after the company, They could have settled with the internal mails and such. the fact that they went on the users heads makes them as evil as AM – whatever a person does with their lives is their own business, regardless of the hackers moral values. Don’t want an affair? don’t have one. You are not God, it’s not your job or your place to judge others. Not saying that cheating is OK, just that whatever you think you know about another person is not always the truth. They could have turned to AM with the security flaw, they didn’t have to actually steal the information in order to prove their point. How does posting someones’ credit card info help to raise security? it probably doesn’t, but that someone now has to pick up the pieces of his/her life. Just because you have certain values doesn’t mean you have the right to enforce these values on others. It is not fundamentally different from enforcing religious values on non religious people. mind your own business and let other people mind their business, how hard is that…Someone is obviously playing God here; and while cheating is bad Karma, so are stealing, judging and shaming. With all that money involved, there is a fair chance the hackers will get caught. No one is immune.

  17. There is a name search out there now. I don’t want to list the site, but on other sites my burner email popped, but my CC last name and last 4 of my card did NOT pop. However on this new, not to be mentioned searchable site, everything is there minus conversations and pics.

  18. @chris can you give some clue as to where this is? I’m not interested in anyone’s data, just my own.

  19. I’ve just been in contact with someone who claims to have the data. They are charging ?10 for a full report on all your data. I asked if they have billing addresses, they said yes and offered to check for free, if it was there I would have to pay for actual info. I gave them my burner email, they found it but did not find any billing info. I then gave them my name. Risky, I know but they seemed on the level, they looked at the data agian and came back again with no billing data. So I’ve either been conned completely and they’ve taken my name and email or I’m in the clear. I was assuming they would come back and say the address was there and take my money and disappear but they didn’t so that might be a good sign.

  20. ExtenuatingCircumstances

    Does anyone know the date range of the dumped credit card data? Some media reports that it is only 7 years of data?

  21. Take a look on Twitter they have a page. It took me about 5mins to find it.

    • Thanks for the help! I checked on Twitter and still could not find anything. Have a good evening.

      • @isheonthelist

        I don’t like promoting them as they are extorting money from desperate people but, on the other hand, I know how you feel. Let me know if you think they’re legit.

        • Thank you so very much! I may sleep on this to decide what I might do. Freak out about getting any more of any of my information to anybody

          • Email the support team there. They’re were very helpful. Let me know how it goes.

            @moderator / Kerbs please delete my comment 8.14pm. I don’t want to promote this site for any longer.

            • TJ – Thanks a ton! I went on the site and am skeptical. The high fees charged to remove you from their system sound too familiar to AM!!

              • Any update Sokol?

                • Hi TJ – no, I am not paying that company at this time. I am waiting to see if others offer something without the feeling that I am being fleeced. I am gun shy about giving away any info right now. If you hear of anything else, please post.

  22. Can anyone advise on the best way to search through the dump? Ive been using Firefox and Ctrl+F searches but I have found none of my details. Is there any other programs that are more efficient for browsing .dump files?


#####EOF##### Ad Network Sizmek Probes Account Breach — Krebs on Security

13
Mar 19

Ad Network Sizmek Probes Account Breach

Online advertising firm Sizmek Inc. [NASDAQ: SZMK] says it is investigating a security incident in which a hacker was reselling access to a user account with the ability to modify ads and analytics for a number of big-name advertisers.

In a recent posting to a Russian-language cybercrime forum, an individual who’s been known to sell access to hacked online accounts kicked off an auction for “the admin panel of a big American ad platform.”

“You can add new users to the ad system, edit existing ones and ad offers,” the seller wrote. The starting bid was $800.

The seller included several screen shots of the ad company’s user panel. A few minutes on LinkedIn showed that many of these people are current or former employees of Sizmek.

The seller also shared a screenshot of the ad network’s Alexa site rankings:

A screenshot of the Alexa ranking for the “big American ad network,” access to which was sold on a cybercrime forum.

I checked Sizmek’s Alexa page and at the time it almost mirrored the statistics shown in the screenshot above. Sizmek’s own marketing boilerplate says the company operates its ad platform in more than 70 countries, connecting more than 20,000 advertisers and 3,600 agencies to audiences around the world. The company is listed by market analysis firm Datanyze.com as the world third-largest ad server network.

After reaching out to a number of folks at Sizmek, I heard back from George Pappachen, the company’s general counsel.

Pappachen said the account being resold on the dark web is a regular user account (not a all-powerful administrator account, despite the seller’s claim) for its Sizmek Advertising Suite (SAS). Pappachen described Sizmek’s SAS product line as “a sizable and important one” for the company and a relatively new platform that has hundreds of users.

He acknowledged that the purloined account had the ability to add or modify the advertising creatives that get run on customer ad campaigns. And Sizmek is used in ad campaigns for some of the biggest brands out there. Some of the companies shown in the screenshot of the panel shared by the dark web seller include PR firm Fleishman-Hillard, media giants Fox Broadcasting, Gannett, and Hearst Digital, as well as Kohler, and Pandora.

A screenshot shared by the dark web seller. Portions of this panel — access to a Sizmek user account — was likely translated by the Chrome Web browser, which has a built-in page translate function. As seen here, that function tends to translate items in the frame of the panel, but it leaves untouched the data inside those frames.

Crooks who exploited this access could hijack existing ad campaigns running on some of the world’s top online properties, by inserting malicious scripts into the HTML code of ads that run on popular sites. Or they could hijack referral commissions destined for others and otherwise siphon ad profits from the system.

“Or someone who is looking to sabotage our systems in a bigger way or allow malicious code to enter our systems,” Pappachen offered.

Pappachen said Sizmek forced a password reset on all internal employees (“a few hundred”), and that the company is scrubbing its SAS user database for departed employees, partners and vendors whose accounts may have been hijacked.

“We’re now doing some level of screening to see if there’s been any kind of intrusion we can detect,” Pappachen said. “It seemed like [the screenshots were accounts from] past employees. I think there were even a couple of vendors that had access to the system previously.”

The Sizmek incident carries a few lessons. For starters, it seems like an awful lot of people at Sizmek had access to sensitive controls and data a good deal longer than they should have. User inventory and management is a sometimes painful but very necessary ongoing security process at any mature organization.

Best practices in this space call for actively monitoring all accounts — users and admins — for signs of misuse or unauthorized access. And when employees or vendors sever business ties, terminate their access immediately.

Pappachen asked KrebsOnSecurity what else could have prevented this. I suggested some form of mobile-based multi-factor authentication option would prevent stolen credentials from turning into instant access. He said the company does use app/mobile based authentication for several of its new products and some internal programs, but allowed that “the legacy ones probably did not have this feature.”

PASSWORD SPRAYING

It’s not clear how this miscreant got access to Sizmek’s systems. But it is clear that attackers have moved rapidly of late toward targeting employees at key roles in companies they’d like to infiltrate, and they’re automating the guessing of passwords for employee accounts. One popular version of this attack involves what’s known as “password spraying,” which attempts to access a large number of accounts (usernames/email addresses) with a few commonly used passwords.

There are technologies like CAPTCHAs — requiring the user to solve an image challenge or retype squiggly letters — which try to weed out automated bot programs from humans. Then again, password spraying attacks often are conducted “low and slow” to help evade these types of bot challenges.

Password spraying was suspected in a compromise reported last week at Citrix, which said it heard from the FBI on March 6 that attackers had successfully compromised multiple Citrix employee accounts. A little-known security company Resecurity claimed it had evidence that Iranian hackers were responsible, had been in Citrix’s network for years, and had offloaded terabytes of data.

Resecurity drew criticism from many in the security community for not sharing enough evidence of the attacks. But earlier this week the company updated its blog post to include several Internet addresses and proxies it says the attackers used in the Citrix campaign.

Resecurity also presented evidence that it notified Citrix of the breach as early as Dec. 28, 2018. Citrix initially denied that claim, but has since acknowledged that it did receive a notification from Resecurity on Dec. 28. Citrix has declined to comment further beyond saying it is still investigating the matter.

BRUTE-FORCE LIGHT

If anything, password spraying is a fairly crude, if sometimes marginally effective attack tool. But what we’ve started to see more of over the past year has been what one might call “brute-force light” attacks on accounts. A source who has visibility into a botnet of Internet of Things devices that is being mostly used for credential stuffing attacks said he’s seeing the attackers use distributed, hacked systems like routers, security cameras and digital video recorders to anonymize their repeated queries.

This source noticed that the automated system used by the IoT botmasters typically will try several dozen variations on a password that each target had previously used at another site — adding a “1” or an exclamation point at the end of a password, or capitalizing the first letter of whole words in previous passwords, and so on.

The idea behind this method to snare not only users who are wholesale re-using the same password across multiple sites, but to also catch users who may just be re-using slight variations on the same password.

This form of credential stuffing is brilliant from the attacker’s perspective because it probably nets him quite a few more correct guesses than normal password spraying techniques.

It’s also smart because it borrows from human nature. Let’s say your average password re-user is in the habit of recycling the password “monkeybutt.” But then he gets to a site that wants him to use capitalization in his password to create an account. So what does this user pick? Yes, “Monkeybutt.” Or “Monkeybutt1”. You get the picture.

There’s an old saying in security: “Everyone gets penetration tested, whether or not they pay someone for the pleasure.” It’s kind of like that with companies and their users and passwords. How would your organization hold up to a password spraying or brute-force light attack? If you don’t know, you should probably find out, and then act on the results accordingly. I guarantee you the bad guys are going to find out even if you don’t.

Tags: , , , , ,

29 comments

  1. The Sunshine State

    “monkeybutt” in plain text or take the same thing and encode in Base 64 which is “bW9ua2V5YnV0dA==”

    Which one is a better password? I don’t see why more people are doing this.

    • Perhaps because it’s pretty much impossible to remember? I’d say that’s why.

      And if you’re going to put it in a password manager, then you might as well use a decent passphrase to begin with.

      • The Sunshine State

        I disagree with you if you take a phrase you always remember like “TheSunshineState” , then it’s just a matter of imputing the data in a Base 64 encoder to obtain the same password over and over again which is pretty simple because it’s always the same

        The password strength of doing this is incredibly strong if you go over 10 charters so a attacker doing a brute force or dictionary attack would be extremely hard if the website uses a strong hash along with the use of salt.

        • Wrong. If you choose a simple password, and then do “something clever” to it to make it look random, it’s still a bad password.

          It can help against basic online attacks like is described in this article, however as soon as some service you use has their password database stolen (it happens ALL THE TIME) you’re hosed. It would just be one more transformation rule among many that the crackers apply to their wordlists, especially if a lot of people start doing it.

          As a rule of thumb: if your password would be weaker if an attacker knows how you came up with it, then it’s not a good password.

          It’s simpler AND easier to do one of these instead:

          * Use a password manager
          * Use a randomly generated diceware phrase
          * Come up with a long gibberish sentence (if you have trouble remembering diceware)

      • Ah, no. You should forget you ever read anything about “correctbatteryhorsestaple” on XKCD, and opt for a *completely random* 15-18 character password.

    • The longer password is better, because it is longer. Randomness, or the appearance of randomness, has less importance in password cracking than length.

      I’ll quote myself from 27 Nov. 2018:

      Randomness in a password’s characters only has a marginal effect on difficulty to crack it, because it frustrates a dictionary-based attack. But that’s it.

      The best password is long and easy to remember, so you’ll be able to use it without jotting it down.

      Here’s why a long password beats a complex one:

      https://math.stackexchange.com/a/1934499

    • Common permutations are easy to account for if you are trying to crack a dictionary password, and encoding something in base 64 is a one-to-one translation that offers no gain in entropy. Basically “bW9ua2V5YnV0dA==” is *exactly* as hard to guess as “monkeybutt” if you are including base 64 encodings of your guesses as well, and why wouldn’t you?

      There is an important difference between encoding and encryption. Encoding offers no gain in entropy. It’s a one-to-one and onto transformation. It’s invertable, so given an *encoded* string, it is trivial to get the non-encoded string back (granted it helps to know what the encoding was).

      And the long password vs. random password argument (getting off topic from your post now): grammatically correct English has about 4 bits of entropy per word according to some studies, which is pathetic! Random word choices have up to 12 bits per word according to some studies (xkcd assumes this number for any word), which can get you a pretty strong and easy to remember password with four random words. Random characters have about 7 bits each, but you can cram a ton of them together in a short password. Neat. Why not go long and random with a password manager?

      tl;dr, get a password manager.

      • Correction to my previous comment: random words drawn from all of the English language have a TON of entropy per word, but you are pretty likely to get words that are hard to remember or spell. Random common words give you about 12 bits of entropy per word, depending on how you define “common”. Much lower than all words, but much easier to remember, and you can string several together.

        Still, fully random long passwords are best. Use a password manager.

      • Wouldn’t adding a salt to the password and then transforming it be sufficient? For instance, HASH(correcthorsebatterystapleXYZ)? If that’s a valid assumption then you could use a password manager to save the salts, which you can change instead of the passwords.

        • If by “hash” you mean convert to Base 64, then you are only gaining whatever entropy the salt gives you by itself. I guess the first point I am trying to make is that 1-to-1 conversions like encoding in Base 64 don’t gain you anything.

          If you mean using passwords you can remember while storing random salts with a password manager, I guess that could work. Why not just use the password manager outright though? I think if you have a short salt this could leave you vulnerable to the password spraying approach mentioned in this article, e.g. if you reuse the same password with a different salt, then anybody who knows the base password has gotten a long ways toward factoring a hash that they might have for some other account of yours.

          Basically when in doubt, random is your friend. An 18-character random password drawn from all letters, numbers, and symbols gives something like 126 bits of entropy, or 4e37 guesses for a 50% chance of finding your password. At 1e16 guesses a second (peta-Hertz guess rate, so somebody is throwing serious money at this problem), that gives you 1e15 years until you hit the 50% mark. Granted you could guess right on the first try, but its extraordinarily unlikely.

    • Would it make it more random? Sure. Will you get anyone to use it in a business setting? Not likely.

      You’re not going to get anyone beyond tech people remotely interested in that. Try selling it to your accounting or HR group. We are here to educate and help businesses stay safe. You’ll get laughed, if not run out of a room suggesting that to employees. MFA and password managers are the best bet for the time being.

  2. Good catch.

    Resecurity also presented evidence that it notified Citrix of the breach as early as Dec. 28, 2018 [!!!]. Citrix initially denied that claim [!!!], but has since acknowledged that it did receive a notification from Resecurity on Dec. 28 [!!!]. Citrix has declined to comment further [???] beyond saying it is still investigating the matter.

    • Their public relations spokesperson should be sacrificially fired, after replying with such stupidity, even if being hurried and pressured into a statement by the press or others. They should have bought time, with a BS statement such as:

      At Citrix, we take security related matters very seriously. We cannot comment a this time as the matter is currently under review.

      Then they could scramble to do what they should have done in the first place! Like look into any security-related notifications whether reported via the outsourced Filipino/Indian customer service center, a sales rep or any other mode of contact.
      They probably have no formal method in place to deal with such notifications or the process is so onerous, no one can penetrate, like when the teen that first reported the Facetime vulnerability to Apple.

      • Do you actually believe the PR person who delivered the statement unilaterally approved that statement for release? Doubtful. It was likely approved by someone higher up than PR.

  3. And all those “world’s top online properties” wonder why those of us who are security conscious choose to block ALL ads, not just those that violate our privacy.

  4. We used to do a “super randomized complex password” scheme, like rolling your face on the keyboard for password gen (ie. W3BW$hs#$YuK), but honestly all we found out is like said above, it only actually thwarts standard dictionary attacks. For brute-force the 16 character password “Ihaveapassword4!” is just as complicated as “H58ccE$lao%g1v*z” because they both follow the same convention of “At least one upper and lower case, at least one number and at least one special character”. The horrible part is that when we insisted on those “complex” passwords, all it really did is make people write them down more and leave them in places around their office.

    Password length is really the only real method you’ll get decent security with. I’m turning more now to using those same requirements, but also turning the password length requirements up to 20 or 24. So I suggest my users to just think of some words that they could remember, string em together, throw in some capitalization, numbers and season with special characters. Makes it much more memorable and less likely for someone to write it down on a post-it note and tape it to their monitor *facepalm*.

    And if you really want to get fun, see if what you are putting your passwords in allows you to use a space in your passwords. It really ups the level of “complexity” when you do because alot of brute force for whatever reason doesn’t seem to check for the spaces.

    • Complex passwords almost always result in people writing them down on sticky notes and hiding them in “super secure places” like under their keyboards. Or, digital sticky notes that come natively with Windows. I remember my boss was sharing his screen with me not too long ago and he closed his browser which showed his desktop. All of his passwords for all accounts were on sticky notes… and this was a very large information security company. I still laugh at that. I can maybe see a password-protected Excel spreadsheet that is also encrypted (if you’re going those lengths, why not get a password manager? I digress…), but everything on sticky notes? Really? The worst part is, he isn’t the only one. We’re only as good as our cyber hygiene.

      • I use KeePass religiously

      • “why not get a password manager?”

        To put it simplest: most people don’t understand what encryption is/is for.

        What I usually tell people is: use words, sure, but randomly generate them. Caltrop them with random bits too if you can manage it. The longer the better- if the system will let you, anyway.

        Then we invariably get into password managers and the value of encryption, because- as I said- most people don’t really know what that means.

        They see no difference in value between keeping passwords in a Word document and keeping them in an encrypted vault.

  5. Brian, I sent you a direct message on Twitter. I hope you read it

    🙂

  6. ChrisSuperPogi

    “Best practices in this space call for actively monitoring all accounts — users and admins — for signs of misuse or unauthorized access. And when employees or vendors sever business ties, terminate their access immediately..”

    Well said!

    Pappachen’s inquiry on “what else..” becomes mute and academic if the governance is not practiced very well.

    My $0.02

  7. OK, I want to use a password manager.
    What should I look for in features.
    And, what should I avoid?
    Thanks

    • Depends on what you’re comfortable with/want.

      This is always a balancing act between security and convenience.

      Probably the first fork in that road is: do I use an “online” password management system, or do I keep an encrypted vault offline?

      Both approaches have pros and cons. An online vault is simpler, more accessible, but you have to reckon with whether or not you trust the people keeping it, and even then you have to accept a certain degree of risk there.

      You could keep a vault offline, but that puts the burden of file management entirely on you.

      The next most important featureset is probably the sorts of credentials you’re allowed to use for access to the manager/vault. Many are now offering some form of 2FA, as an example.

    • I strongly advise against password managers, both because of complexity and trust issues.

      Anything connected to a website is insecure. Anything kept on an Internet-connected device is insecure. All major password managers were recently found to leak memory to other apps, where your passwords could wind up online.

      Consider your coworkers and loved ones, who will pick up the pieces when you die. It’s inevitable.

      Anything too complex will mean tremendous headaches and heartaches for them. Keep it simple enough for them.

      I’m a big fan of just storing my personal passwords in an old address book on my desk. Every few months, I make a photocopy of any updates and new credit, bank, and ID cards, put in an envelope, and leave it in my bank’s deposit box.

      I’ve never lost a password or had technical issues with this method. It is impervious to hacking and fire, as well. And it’s very easy for my family to get, when I’m gone.

      For work, I just use a password-protected spreadsheet that I keep in an off-line computer. It’s hackable, but you’d have to be on-site to try. And if you’re already on-site breaking in to stuff, there are bigger concerns than some stupid passwords.

      Every month, I’ll print out a copy to keep in our office safe, accessible to myself and my partners.

      Complexity is the enemy of convenience. You’re only as secure as the system you choose to follow regularly, so keep it convenient.

  8. Thank you for the article, good read. It made me think about the less ways to take advantage of this though. i.e. all major US mobile carriers (as far as I know) have special “*” or “#” dialing sequences that when dialed, will forward all calls. A phishing attack could either convince people to dial a sequence or possibly even a well crafted link could cause people to click it and attempt to dial, essentially forwarding all their calls, and with at least a few of the major MFA implementations I’ve seen, phone calls are usually a secondary option for the SMS # on file.

    The other means is the new VoIP features from carriers like TMobile. TMobile’s “DIGITS” feature lets you use an app to login to your phone number, which gives access to inbound/outbound calling and SMS. So simply compromising ones TMobile account in a phishing attack would give an attacker the ability to 1. Turn on DIGITS if not already enabled and 2. essentially have full access to any # on the account via the DIGITS app.

    I’m not knocking digits by any means, I think it’s an innovative technology. We just need to look at attacks, both technical and social, from all angles.
    -Ed

Leave a comment


#####EOF##### #####EOF##### Alleged Child Porn Lord Faces US Extradition — Krebs on Security

22
Mar 19

Alleged Child Porn Lord Faces US Extradition

In 2013, the FBI exploited a zero-day vulnerability in Firefox to seize control over a Dark Web network of child pornography sites. The alleged owner of that ring – 33-year-old Freedom Hosting operator Eric Eoin Marques – was arrested in Ireland later that year on a U.S. warrant and has been in custody ever since. This week, Ireland’s Supreme Court cleared the way for Marques to be extradited to the United States.

Eric Eoin Marques. Photo: Irishtimes.com

The FBI has called Marques the world’s largest facilitator of child porn. He is wanted on four charges linked to hidden child porn sites like “Lolita City” and “PedoEmpire,” which the government says were extremely violent, graphic and depicting the rape and torture of pre-pubescent children. Investigators allege that sites on Freedom Hosting had thousands of customers, and earned Marques more than $1.5 million.

For years Freedom Hosting had developed a reputation as a safe haven for hosting child porn. Marques allegedly operated Freedom Hosting as a turnkey solution for Web sites that hide their true location using Tor, an online anonymity tool.

The sites could only be accessed using the Tor Browser Bundle, which is built on the Firefox Web browser. On Aug. 4, 2013, U.S. federal agents exploited a previously unknown vulnerability in Firefox version 17 that allowed them to identify the true Internet addresses and computer names of people using Tor Browser to visit the child porn sites at Freedom Hosting.

Irish public media service RTE reported in 2013 that Marques briefly regained access to one of his hosting servers even after the FBI had seized control over it and changed the password, briefly locking the feds out of the system.

As Wired.com observed at the time, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”

Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. FBI investigators told the courts they feared he would try to destroy evidence and/or flee the country. FBI agents testified that Marques had made inquiries about how to get a visa and entry into Russia and set up residence and citizenship there.

“My suspicion is he was trying to look for a place to reside to make it the most difficult to be extradited to the US,” FBI Special Agent Brooke Donahue reportedly told an Irish court in 2013.

Even before the FBI testified in court about its actions, clues began to emerge that the Firefox exploit used to record the true Internet address of Freedom Hosting visitors was developed specifically for U.S. federal investigators. In an analysis posted on Aug. 4, reverse engineer Vlad Tsrklevich concluded that because the payload of the Firefox exploit didn’t download or execute any secondary backdoor or commands “it’s very likely that this is being operated by an [law enforcement agency] and not by blackhats.”

According to The Irish Times, in a few days Marques is likely to be escorted from Cloverhill Prison to Dublin Airport where he will be put on a US-bound flight and handcuffed to a waiting US marshal. If convicted of all four charges, he faces life in prison (3o years for each count).

Tags: , , , , , , , , , ,

92 comments

  1. With any luck he’ll end up in a prison with crappy security and a population that knows who he is and what he did.

  2. That is one sick puppy

  3. I think that for once, the comments calling for something bad to happen to this individual might be justified.

  4. Thank you for this update. Let’s get this case going.

  5. For those of you endorsing violence in prison against this invidual, just think about what you are accepting. Have you really considered that you, your kids, or your friends could also possibly end up in the same prison system where it is acceptable or condoned for prisoners to be assaulted?

    • Well, if they were doing this to children, then YES!

      • Well then why dont we just change the laws and have the courts sentence them to physical torture and rape? The price people pay for crimes committed should be the price of the sentence prescribed by the courts, not vigilante justice. If you actually think that people convicted of crimes should be tortured and beaten up as part of their punishment, then pass laws that sentence them to that. It is not the job of convicts, prison guards or police officers to dole out punishment. The punishment is for the courts to decide, and if that not good enough, then change the laws.

    • If any of my relatives do what this guy did, then my relatives would get what they deserve.

      • Valarie Crockett

        And will you not be just as bad as your relative and deserve punishment for your wrong doings Maybe s councilor could help explain why people look at porn in the first place. Some people need help not to turn your check the other way.

    • Yeeahhh normally I’d agree with you, but not this time.

    • Sarah Everidge

      To condone violence against others as a solution is never going to work

      • Violence tends to cause more violence so even if it should technically solve a problem in most of the cases it still isn’t wise to use violence. If you are categorically against violence I respect you and if society treats even a monster like a human being I am proud about that. But in case of child pornography if violence happened against someone who did it or who profited from it I wouldn’t be unhappy if society collectively turned around and allowed someone punish the ones who ruined countless lives that just had begun for them.

        • This days we don’t really know who are those criminals. If they have a background activity of doing something or not. Some of them are really know how to hide from authority and it is sad that our children might be a victim. I just found a website that can search your name online if you have dome something illegal in the past. It has free back ground checks here is the link https://www.checkpeople.com/background-check

    • if anyone close to me, no matter the relation, did this, and i found out about it. they would be lucky to survive long enough to go to jail. this is the most one of the most sickening things imaginable. absolutely no sympathy for these vomit inducing scumbags.

    • Have you considered if the victims were your kids? Anyone who does this to children, family or not shouldn’t receive any compassion. This is absolutely unacceptable, and if a family member did this to any children, I would personally impose physical discomfort on them and assist law enforcement as needed to ensure they stay locked up behind bars. So sickening!

  6. Aside from the obvious outrage over this sleazy individual and his “line of business”, I am somewhat disturbed over Firefox having such backdoor! Did anyone else notice that “little” nuance?

    As much as I like the fact that it helped FBI to catch this guy, I am also appalled that it will help assist “strongmen” in Russia, Turkey, China, Iran, Venezuela to go after political opposition and dissidents. That should not be allowed, Mozilla foundation!

    • It was a zero-day vulnerability that had been patched by the time the story broke (I think it was even patched in the latest Tor Browser during the investigation, but not everybody had updated) and required JavaScript to be enabled (a bad security practice that I do not know why the Tor Project engages in by default).

      • Technically recent copies of Tor Browser ship with noscript enabled in whitelist mode where all scripts are disabled by default and must be explicitly enabled one by one. Most modern websites are broken with javascript disabled which is why the option to enable it is included instead of a blanket enable/disable option (which would, arguably, be far worse than the finer toothed noscript option). Not sure about the timeline, noscript may have been started to be included in response to this exploit.

  7. I’m more than a little confused on the technology here. Was this a website on a traditional server that somehow shows up as an onion website?

    • It existed on the Internet but the website could not be accessed via a usual Internet address (“clearnet”) but only via an overlay network called Tor; it *was* possible to administer it via its IP address (not over the Web, but over other protocols like SSH), but things like vhosts can be set to disallow Web access without using the proper hostname, and it is not possible to get an IP address from a .onion domain (hidden-service name).

  8. The Sunshine State

    One of the worst federal charges that you can get nailed with is “Child Porn” Their is absolutely no defense if the fed’s do a hard drive forensic and find illegal images ” stick a fork in you , you are done !”

  9. Dear FBI, your miserable attempts to track us down and arrest us will be rendered hopeless as Internet and money becomes more and more decentralized, more and more anonymous.
    I will devote the rest of my life to fighting for the freedom of countless individuals who wish for only one thing in their lives – privacy and liberty.
    Just who do you think you are anyway to sit there in your rotten departments of (in)justice and make plans on how to arrest citizens for browsing the internet?

    We the freedom fighters will never let you seize our freedoms and individual liberties.

    You can make exploits, we will make security systems.
    You can keep tracking us, we will keep anonymizing ourselves.

    Encryption is on our side.
    Human will is on our side.
    Liberty is on our side.
    We will be victorious.

    • So… I guess prepubescent children don’t deserve any of the freedom you claim to be fighting for.

    • Anubis = the Egyptian god of mummification and the afterlife as well as the patron god of lost souls and the helpless.

      Apparently this wannabe freedom fighter is focused on the lost souls versus the helpless.

      In any case he’s a troll.

    • “We will be victorious.”

      No, you won’t.

    • Mighty Anonamouse

      Dear TORTURE OF CHILDREN, your miserable attempts to ESCAPE us – will be rendered hopeless as Internet and money becomes more and more decentralized, more and more anonymous, MORE PEOPLE WILL GO DEEP TO GET YOU.
      I will devote the rest of my life to fighting for the freedom of countless individuals who wish for only one thing in their lives – privacy and liberty.
      Just who do you think you are anyway to sit there in your rotten CAVE of injustice and make plans on how to TORTURE CHILDREN for FUN?

      We the freedom fighters will never let you seize our CHILDRENS freedoms and individual liberties.

      You can HIDE IN exploits, we will make security systems.
      You can keep HIDING, we will keep FINDING YOU.

      TIME is on our side.
      Human will is on our side.
      Liberty is on our side.
      We will be victorious.

    • “… countless individuals who wish for only one thing in their lives – privacy and liberty.”

      That’s two things.

    • You forgot about the most powerful advocate of children. JESUS CHRIST LORD.OF LORDS and KINGOF KINGS.

    • You are an IDIOT!
      Your stupid liberty bell argument has no merit. You have no common sense, I take it you are one delusional mind. And can you tell me just what in hells name you do on the internet that has you thinking your some freedom fighter of privacy! Unfortunately the world is a sick sick place and those evil people took our privilege of privacy online away. These are innocent children and have more of a right then your internet privacy to be safe! So suck it up buttercup. You are being watch get use to it, so pick the right fight to fight! Your head is twisted and you ain’t Superman and no you can’t fly!!!

  10. Harry Johnston

    So far as I can tell, the alleged crimes took place while the accused was in Ireland. Why is he being extradited to the US?

    • The story linked at the bottom of the piece goes into that question in detail.

    • Short answer: The FBI had the evidence against him. They have much more credibility in US courts. Irish prosecutors declined to charge him so the courts would send him to the US where he’s *much* more likely to be convicted.

    • ” Marques, who holds dual Irish-US citizenship, was denied bail and held pending his nearly six-year appeal process to contest his extradition. ”

      US citizenship means he is subject to all US laws, no matter where he is.

  11. The real porn lords are the elite like the Rothschilds, Rockefellers and Jesuits. This is just a fall guy that provides them with “throwaway” children they eat after sodomizing and drinking their blood to stay young. When it doesn’t work anymore they get a replacement body. The secret tech is very close to what we see in science-fiction which is really non-fiction. Truth is stranger than fiction. They lie about everything else. Why not that too?

  12. “Government says…”
    “Investigators allege…”

    What does the evidence show? What is the defense saying?

    It’s all well and good to report on convictions and the legal process, but what is the public interest being served by repeating salacious allegations from government thugs or name-calling the defendant for a headline?

    Btw, calling child abuse imagery “porn” diminishes its seriousness. The legitimate porn industry helped build the Internet (1). Real porn is gross, but harmless. This crap, however, is a symptom of despicable abuse, and should be called as such: recorded images of child abuse.

    That said, this case is nonsense. Even if the guy did everything alleged, it wasn’t in the US and he wasn’t in the US. The search warrants will be tossed out or it’ll end in a plea. It’s obvious that the FBI utilized NSA expertise and they’ll want to keep that out of the public record. No way this gets to a jury.

    (1) google it.

    • Apparently you missed “Marques, who holds dual Irish-US citizenship”, and you didn’t read the Irish Times article that Brian pointed to and you are not familiar with US Extraterritorial jurisdiction (ETJ).

      There are certain crimes that US citizens can be held accountable and indicted, no matter where they are perpetrated.

      Also, extradition treaties come into effect.

      Consider El Chapo in Mexico may have never set foot in the US. So using your logic, he could never be held accountable and tried in the US. But that’s not how the system works.

      • The only reason Ireland is surrendering Marques is their inability to do anything useful with the illegally obtained information gathered by the FBI, while not wanting to appear lenient regarding child abuse imagery.

        Unlike Guzman, Marques is not alleged to have done any crimes, or directed crimes be done, in the US. The FBI was completely out of their authority to remotely investigate this case.

        Guzman’s activities directly affected Americans.

        US authority doesn’t extend into other countries when crimes don’t affect Americans. A long string of Supreme Court rulings have knocked down laws seeking to punish people who do bad things overseas. (1)

        The process here is an attempt to circumvent the Irish jury system and intimidate Marques to plead guilty on arrival to the US. It will probably never reach a US jury, as it offends Americans’ sense of justice to consider illegally obtained evidence.

        (1) http://cornelllawreview.org/articles/what-is-extraterritorial-jurisdiction/

        • “US authority doesn’t extend into other countries when crimes don’t affect Americans.”

          Ah, so none of the abused children were Americans. Is that right? It’s not mentioned in the article. And even if that were the case, are American children worth more than non-American children?

          It seems him having US citizenship is enough to grant them jurisdiction, and I’m OK with that.

        • “it offends Americans’ sense of justice to consider illegally obtained evidence.”

          Haha, you can’t be serious. Obviously, you haven’t seen much of our justice system in action.

        • The US does have jurisdiction to investigate crimes involving the hosting of child pornography. See link attached. He ran the websites, so yes he should be (and could be) investigated.

          • Further Thoughts

            He did not run the websites. He owned the website hosting company. That’s like the difference between a person who makes threatening phone calls and the person that runs the phone company.

            • In what scenario is it ordinary business conduct for a “phone company” to collect images of child abuse or encourage criminals to collect more?

              This guy is alleged to be far more than a hosting provider. What evidence do you have to contrast that?

            • BowB4RightNotMight

              Sir;

              This is not a good comparison and you should be ashamed of yourself for spreading that kind of rhetoric. I hope you do not have children or children in your family. The guy hosting company was exclusively designed to hide CHILD PORN. You comparing this guy to a regular phone company that is designed for public communication and is sometimes used by A$$holes to make pranks.
              I won’t judge you but I hope you were just being an A$$hole yourself and you didn’t mean it like how it sound.

  13. As much as I would like to see this individual suffer in some direct physical sense, the civilized part of me will be satisfied if he is consigned for a LONG period of time to the Supermax in Florence, Colorado. For those not familiar with that prison, it’s been described as a living death, and rightly so.

  14. HA! HA! More than one can play at this “hacking” game! Kudos to law enforcement for using the tools at hand!

  15. So basically, all he did was provide VPS’s on Tor? Standard nothingburger from the FBI baby-killers.

    Did Eric Eoin Marques burn 17 little children alive?

  16. Thinking Further

    Eric Eoin Marques was not running the porn sites — he ran Freedom Hosting, an internet website hosting service that had 30,000 or more sites. Of those, the FBI claims 100 sites had child abuse images. Marques ran his business by himself. His terms of service stated that his customers could not upload anything illegal onto their sites or use their sites for any illegal purpose. He also had a privacy policy that he did not look at or go onto the sites being hosted on his servers. Holding Marques responsible for the contents of his customers’ websites breaks new legal ground. This is like holding Amazon Web Services responsible for the contents of all the websites on AWS or holding Twitter responsible for all the tweets, pictures, and videos tweeted by the millions of Twitter users. The FBI has called Marques the largest facilitator of child porn , which has been effective at getting the public to rush to judgement. In reality, he is a guy with Asperger’s syndrome who had a tor website hosting company in his bedroom, and 100 of the more than 30,000 sites were run by customers taking advantage of the situation to run sites with child porn. No one has suggested exactly how he was supposed to ferret out those abusive sites. Amazon Web Services also does not allow illegal content, but it refuses to remove illegal content that is reported to the company, which is a complex, obscure, and difficult process, unless there is a court order stating the content must be removed. In other words, AWS handles illegal content by ignoring it, even if it is reported, unless there is a court order stating it must be removed. The FBI never tried going to Marques with a court order stating which sites were to be removed, but instead, arrested him and charged him with crimes, as being responsible for the content of all the websites on his web hosting service. This breaks new territory in US internet crime prosecutions. Is the DOJ going to hold AWS, Twitter, Facebook, and all the internet giants responsible for all the content posted by all of its users? If not, exactly why are they doing that to this one guy from Ireland? Maybe that will be explained in this court case.

    • Is a diagnosis of Asperger’s an affirmative defense to anything?
      Seems he was very high functioning if true.

      We do not know if he was checking the contents of those he was hosting or not. Likely he was observed remotely or there is other evidence he was involved in more than hosting.

      One wonders if the following is true, why he would do such a thing, “in addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”

      What was so precious on that laptop?

      With the Cloud Act having been passed a year ago, the feds likely have much more information available than has been publicly released to date.

      https://money.cnn.com/2018/03/23/technology/spending-bill-microsoft-lawsuit-supreme-court/index.html

      • A person can dive for any number reasons, including to avoid the explosive end of an agent’s firearm. It doesn’t prove ownership or intent or guilt.

        As for the law you mentioned, it came years after this guy was arrested. Doesn’t apply.

    • Random Thoughts

      I think you hit the nail on the head. I was looking for information in this article that might highlight what he was doing instead of what the DOJ wants people to read. Admittedly I didn’t read the linked articles but it does appear you are right. He ran a hosting service that simply did not shutter some sites run by other individuals. Those are the people I want to see shut down. Not a hosting provider that has sites that Governments don’t like.

      I am conflicted because he likely isn’t cooperating with investigators to close down the sites that SHOULD be closed. Possibly because the US Government would want other sites closed because they harm big companies or share secrets the government would like to not be shared.

      But I don’t think we should rush to judgement that he or anyone should be harmed in jail just because a DOJ PR report said they did something so horrendous we don’t want to think about it. DOJ has been wrong before, and this piece appears to be another example if he was a web site hosting company and not actually involved with or visited or even received complaints about the offending sites.

      • Further Thoughts

        Thanks for thinking logically. As exlained in many news stories, when the rented server used by Marques was taken down by the FBI, all the sites on it were taken offline.

        And the story gets better still. Supposedly some of these alleged child abuse image sites are actually Japanese manga or other cartoons. That’s why it’s so important to see what the evidence actually is.

        • Thinking Further, Random Thoughts, and Further Thoughts. Are you three somehow related, having a “discussion” of talking points you’ve already agreed on?

          • Oh I don’t know, Steve, are WE the same people?! Are WE just having a discussion within ourselves?! The internet may never know…

            • Oh Steven, you silly, silly man. Wait… is this the same Steve or are there now THREE OF US??!!

              • Come on Steve, they are all one person and it is you and I who are different. Or… what if… even ALL of us are the same person?! MY HEART CAN’T HANDLE THIS SITUATION!!!!

        • Can you cite to this research, so we may also read it?

          In regards to the CP sites actually “only hosting Japanese Manga or other cartoons”.

    • He would have known about the childporn sites in 2011, when Anonymous started Operation DarkNet and was DOS’ing his hosted sites.

    • You have it all wrong. In some of the other research and articles about Freedom Hosting, Marques clearly knew what servers and sites his clients were hosting (CP) and still continued to let them operate on his hosting and in some cases even helped them to avoid takedowns or LE operations.

      He is not some innocent random guy who ran a website hosting company as you claim. He knowingly helped to host CP and disgusting sites and keep them online.

      • Further Thoughts

        Can you cite to this research, so we may also read it?

        • Sure thing. He was fully aware of the content he was hosting and actively marketed it as such.

          https://thegoldwater.com/news/29059-World-s-Largest-Facilitator-of-Child-Porn-will-be-Extradited-to-the-US-to-Face-Justice

          “Prosecutors say that Marques was born in the United States of America, but that he’s an Irishman who fled the United States of America to set out upon a profitable venture on the internet with the intention of targeting child pornographic distribution networks in order to make his fortune, and that’s what the FBI says he did.”

          “The Federal Bureau of Investigation participated with coordination of the low-key raid on Marques, where for years he’d bragged to the pedophiles using his services that he was untouchable.”

          “The argument from the FBI is that Marques was fully aware of what he was doing; knowing that child pornography was being hosted on his services and that he was profiting from this.”

          • Thank you.
            Unimaginable that people treat the worse child abuse so lightly.

          • Buncha Malarkey

            You should consider getting your information from more reliable sources . He “fled” the United States at the age of 4 because his parents moved back to Ireland and imagine this – they took their 4 year old with them. He is only a US citizen by birthright; neither of his parents is a US citizen and he lived only a few years in the US, as a young child.

    • IF that is the case, then it will set and change precedent and you’d see Facebook, Twitter et al flip their lids over it. I seriously doubt that is the case.

    • BowB4RightNotMight

      You sound like you were one of his users sir; If he have a 100 child porn sites on his hosting server ? what are the other websites advocating? It surely cannot be religion. You make no sense. You wrote an entire essay to justify why a Child Porn advocate should is innocent? Is that what this essay is about? #BowB4RightNotMight

  17. I’m confused. How can the FBI have jurisdiction here?

    Unless the pedo-websites were actually hosted in the US or the operator resided in the US, the FBI should not be involved as it is a national bureau of investigation with jurisdiction in the US alone. Eric Eoin Marques lived and operated the site from Ireland.

  18. To echo the comments of ‘Thinking Further’ above.. There was a lot of collateral damage when Freedom Hosting was shut down. I don’t think many people realized how many (non-porn) Tor sites were running on Freedom Hosting until it disappeared.

    If Marques was knowingly hosting child porn sites, that’s a problem that needs to be dealt with. I’m not sure that we can jump to that conclusion.

    It’s not clear whether, or to what extent, he knew what was being hosted. An ethical hosting provider does not go sifting through the contents of their customers’ data. If they receive an abuse complaint, they are aware at that point and have a duty to respond. It’s doubtful that the child porn sites identified their hosting provider, and due to the nature of Tor there was no other way of identifying and contacting the provider. It’s highly unlikely that Freedom Hosting was notified of the content.

    This is likely a case of the Marques taking the money and looking the other way, but pursuing criminal penalties for child porn/abuse appears to be inappropriate.

    • He had to have known he was hosting childporn by 2013. Anonymous started DDOS’ing those sites in 2011 as part of Operation Darknet. To say a hosting provider wouldn’t be aware of the systems issues and the publicity surrounding it is just not credible.

      https://www.bbc.com/news/technology-15428203

      • Further Thoughts

        The article you linked does not back up your claims. It is not likely their efforts, which were crimes in themselves, knocked anything off tor, let alone any specific offensive sites. Just because someone called calling themselves Anonymous claims to be doing something does not mean it is actually happening.

  19. “The sites could only be accessed using the Tor Browser Bundle”

    This isn’t strictly true, you do need to use Tor, but you can use that with any browser if you have the service running on your computer. The Tor Browser is just a tool that make Tor easier to use.

  20. Look at you all. This group has abandoned all common decency and is quarreling over a Firefox back door. Forget the kids, who were TOTURED and RAPED, let’s get mad about something that was probably designed to stop this sick industry. What happened to the children afterwards? Thought about that? Your internet god has removed all traces of decency in you all.

    • Not so, Charlie. Most children who become the subjects of child porn images and videos have this done to them by their parents, guardians, or other people in their lives who are in a position of trust. That’s why going after the creators of child porn, or those that run websites trading in child porn, makes sense.

      Putting criminal responsibility onto the man who ran a website hosting service, the terms of service of which clearly stated that no illegal contents were allowed onto the sites, makes little to no sense. If you want website hosting services to be responsible for the contents of all the websites on the host services, then no one will be able to be a website host.

      This is quite like holding the phone company responsible for everything everyone says on all phone calls. It makes no sense. Should the presidents of Iphone and Sprint be put in prison because teenagers are sexting and old men are sending dick pics?

    • And what about dissidents and people who are trying to fight government oppression who might be facing torture and death because of backdoors. Study the history of oppressive regimes and they often start with violations of civil liberties that are emotionally justified but then lead to abuses that include genocide.

      I would also add that in the US a person is innocent until found guilty by a jury. If you think vigilante justice works read “The Oxbow Incident”

    • Charlie, you’re wrong.

      This article is primarily about technology and a long-running legal case. The comments reflect this.

      Second, a comments section is not an appropriate venue for psychological support or victim pathologies.

  21. I wonder if this was leveraging the WebRTC exploit because all the info i read points to it.
    A lot of common VPN providers were also effected by this browser issue!

  22. So glad you reported on this development. At a time when the FBI seems to be under attack for political reasons, it is good to push a story like this to the forefront. Child porn, and those profiting from it need to be tracked down and held accountable.

    Thanks Krebs for keeping us informed. You do a great job.
    Respectfully,

    Kevin D. Eack

  23. @Brian

    > 3o [sic] years for each count

    You have an O where you probably should have a 0.

Leave a comment


#####EOF##### Man Behind Fatal ‘Swatting’ Gets 20 Years — Krebs on Security

29
Mar 19

Man Behind Fatal ‘Swatting’ Gets 20 Years

Tyler Barriss, a 26-year-old California man who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident, has been sentenced to 20 years in federal prison.

Tyler Barriss, in an undated selfie.

Barriss has admitted to his role in the Kansas man’s death, as well as to dozens of other non-fatal “swatting” attacks. These dangerous hoaxes involve making false claims to emergency responders about phony hostage situations or bomb threats, with the intention of prompting a heavily-armed police response to the location of the claimed incident.

On Dec. 28, 2017, Barriss placed a call from California to police in Wichita, Kan., claiming that he was a local resident who’d just shot his father and was holding other family members hostage.

When Wichita officers responded to the address given by the caller — 1033 W. McCormick — they shot and killed 28-year-old Andrew Finch, a father of two who had done nothing wrong.

Barriss admitted setting that fatal swatting in motion after getting in the middle of a dispute between two Call of Duty online gamers, 18-year-old Casey Viner from Ohio and Shane Gaskill, 20, from Wichita. Viner and Gaskill are awaiting their own trials in connection with Finch’s death.

Barriss pleaded guilty to making hoax bomb threats in phone calls to the headquarters of the FBI and the Federal Communications Commission in Washington, D.C. He also made bomb threat and swatting calls from Los Angeles to emergency numbers in Ohio, New Hampshire, Nevada, Massachusetts, Illinois, Utah, Virginia, Texas, Arizona, Missouri, Maine, Pennsylvania, New Mexico, New York, Michigan, Florida and Canada.

“I hope that this prosecution and lengthy sentence sends a strong message that will put an end to the juvenile and reckless practice of ‘swatting’ within the gaming community, as well as in any other context,” said Kansas U.S. Attorney Stephen McAllister said in a written statement. “Swatting is just a terrible idea. I also hope that today’s result helps bring some peace to the Finch family and some closure to the Wichita community.”

Many readers have commented here that the officer who fired the shot which killed Andrew Finch should also face prosecution. However, the district attorney for the county that encompasses Wichita decided in April 2018 that the officer will not face charges, and will not be named because he isn’t being charged with a crime.

As the victim of a swatting attack in 2013 and two other attempted swattings, I’m glad to finally see a swatting prosecution that may actually serve as a deterrent to this idiotic and extremely dangerous crime going forward.

But as I’ve observed in previous stories about swatting attacks, it would also be nice if more police forces around the country received additional training on exercising restraint in the use of deadly force, particularly in responding to hostage or bomb threat scenarios that have hallmarks of a swatting hoax.

For example, perpetrators of swatting often call non-emergency numbers at state and local police departments to carry out their crimes precisely because they are not local to the region and cannot reach the target’s police department by calling 911. This is exactly what Tyler Barriss did in the Wichita case and others. Swatters also often use text-to-speech (TTY) services for the hearing impaired to relay hoax swat calls, as was the case with my 2013 swatting.

Tags: , , , , , ,

43 comments

  1. The Sunshine State

    Thanks for posting this article :–)

  2. Completely earned every year of his sentence and more. Sociopath.

  3. 20 yr sentence is not long enough for what amounts to a 1st degree murder (albeit of a different victim).

    He should be sentenced to life without parole. This was not the first time he attempted murder by this means.

    And he trashed two families — that of the victim and that of the law enforcement officer who fired the shot.

    • Rube Goldberg's Razor

      The dead man’s niece shot herself to death a year later, then her boyfriend did the same after finding her dead: https://www.foxnews.com/us/2-suicides-directly-related-to-deadly-swatting-hoax-victims-family-says
      And, yes, that cop obviously enjoyed his opportunity. Of course there are good cops, but the profession is seventh on the list of the top ten that attracts psychopaths. He didn’t need more training, he needed a heart. I’ve personally thanked police for de-escalating situations, and have seen some who just need to be shot themselves.

    • I agree with you Edward, and I think there are not many people being vocal enough about the reality of the situation. No matter what rationalization each of us choose, there are several families severely impacted by this, an event that really would have never happened had this you g person not become obsessed with escalating and increasingly bolder swats.

  4. This is certainly justified. The policemen should have been prosecuted, too. That’s trigger-happiness at its worst.

  5. I agree with more police training

  6. I love you armchair quarterbacks talking about the police. You internet badasses would’ve pissed your pants and called for your mommies to bring you your tendies. Respect your police, respect the rule of law, or this society is doomed. Goddamn keyboard warriors.

    • Absolutely right my man. If a cop fatally shoots someone in your family, you had better give them your respect. I mean, even if they didn’t violate any laws, who cares? It’s the men in blue!

      It’s not like innocent people being shot by those who protect has any implications of where society is heading…

    • Dude, the cop shot a hostage. Let that sink in. If this was a real hostage situation, the police would not have known that the shooter didnt send a hostage to the door. That trigger happy cop would have shot an innocent person, hoax or not.

  7. Tragic all ’round, but I’m glad he will at least be off the phone networks for a decade or so. I really don’t see why this was ever a thing; the police response should be more deliberate. Good on you and all who work to make it obvious how foolish this is. I should hope gamers will censure those who espouse such actions.

  8. Im still waiting for that idiotic commenter to say that “we shouldn’t be putting people in prison.”

    Until then, I’m gonna say, AMEN! That human waste deserved every single second of it. Now hang on buddy and don’t drop the soap! PS. With a crime like his he’d be a good gf.

  9. Barry Ocasio Cortez

    We shouldn’t be putting this person in prison. He is a victim of racist, capitalist, patriarchal hegemony and should get lots of hugs and free stuff.

  10. The only thing wrong with this 20 year sentence is that the schmuck will probably only actually do 8 of that.

    • Unless I’m mistaken, he will serve all 20 years. There is no parole in the U.S. federal prison system. They can earn time for good behavior but this guy has shown zero remorse and the last time he was incarcerated he reportedly tried to swat someone from jail, so that seems unlikely.

      • Correct, under the federal system you’d only earn a few weeks per year. If he really, really behaved, he’d still end up serving 17 or 18 years.

      • “This guy has shown zero remorse and the last time he was incarcerated he reportedly tried to swat someone from jail.”

        Whaaat ? Some people are really insane…

  11. 20 isn’t enough.

    Worse, the COP SHOULD HAVE BEEN CHARGED. Did you see the bodycam video? The resident came out of his house, raised his hands, and then got shot. His head popped. The cop shot him FROM ACROSS THE STREET WHILE THE VICTIM HAD HIS EMPTY HANDS UP. Then the cops claimed that they “felt” threatened. Bull$#!+. That cop should share a cell with the swatter.

  12. The trigger happy policeman should have been charged with murder.

  13. David Longfellow

    Throw away the key.

  14. For what it’s worth, if organized crime (or even local gangs) realized how easy it is to swat someone and used it as a distraction while carrying out more serious crimes it would be even worse. At least it’s still 20 somethings and young adults upset over gaming instead of … (use your imagination crimes swat would normally get called for).

  15. Brian, was this just for the charges for this one incident? I’m guessing that the charges for all of the other bomb threats and SWATtings are still pending and he could be seeing a lot more trials and prison time?

    As I recall, Canada is also interested in him.

  16. I should have realized this earlier, but how is it they called such a thing in for someone that had nothing to do with the game or the individual who called it in? Am I missing something here? Do these “swatters” just call these in to random people? I don’t get it!

    • The intended victim gave out an old address and the swatter used it.

      — This was in some of the older reporting.

      • Ach! Thank you timeless I had completely forgot that! What can I say, I’ve got “old timer’s disease”! 🙁

  17. Perhaps there was an address change that this criminal was not aware of?

  18. My bet is that Tyler is such a weasel that he’ll figure out prison life pretty quickly… But man, that baller grin, that i-know-wussup wannabe smurk and that fair-skinned face are going to look a lot different when he makes parole.

  19. I’ve always thought the best deterrent would be for the perpetrator to be subjected to the same punishment as that he wrought on his victims.
    Execute murderers.
    Put rapists in a cell with Bubba.
    Take a thiefs every possession.
    And so on.

    This scumbag was an accessory to murder and deserves nothing less than the death penalty.

  20. The video of the police officers shooting this guy is disgusting. No weapon, no “hostages” in danger. Multiple officers all with weapons trained on the guy. Multiple officers shouting instructions. One shoots him with a rifle from across the street. Absolutely not justified. I hope the civil case results in this officer losing everything. It should not be this easy to “trick” the police into killing another human being.

    • Agree. You have to also consider that if this was a real hostage situation, the shooter may have sent a hostage to the door. The cop essentially shot the hostage.

  21. Such a positive way to protest! I wish more protesters would raise $ for a good cause. 🙂

  22. “I hope that this prosecution and lengthy sentence sends a strong message that will put an end to the juvenile and reckless practice of ‘swatting’ within the gaming community, as well as in any other context,” said Kansas U.S. Attorney Stephen McAllister said in a written statement. “Swatting is just a terrible idea. I also hope that today’s result helps bring some peace to the Finch family and some closure to the Wichita community.”

    And how about the message repeatedly sent that the ‘boys in blue’ are little more than paid executioners. Not even a slap on the wrist for the cretin behind the badge who snuffed out an innocent life. And people wonder why cops in general are so hated by so many. It’s not just the bad cops, it’s their enablers like the county DA in this case, that are beneath contempt.

  23. message to citizens, WE THE COPS can kill you whenever we want, and we will not be charged. Don’t like it, though luck, obey the system!

  24. Punitha Manavalan

    Brian, an imaginative flurry at my end – of internet network complications, interference, chaos and confusions that will always perhaps implicate an innocent.

    🙂 Most of the time personally I like to error on the side of.. simply giving everyone involved a nice vacation. :_

  25. the cop didnt get charged?
    how typical

    so if a cop made anonymous “swat” calls at a target address, they would be justified to shoot people freely once sent out to the location?

    sounds like a pretty serious flaw

  26. How did he find the identity of the man he called in the SWATing hoax on? Did he know his name or did he use another way to find out the real identity of the online gamer?

Leave a comment


#####EOF#####